Description
A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
Scores
CVSS v3
8.3
EPSS
0.0004
EPSS Percentile
13.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-277
Status
published
Products (14)
pulpproject/pulp
pypi/pulpcore
0PyPI
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8
0:1.26.20-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8
0:1.4.8-1.1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8
0:3.28.32-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8
0:4.2.16-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 8
0:4.5.11-1.el8ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 9
0:1.26.20-1.el9ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 9
0:1.4.8-1.1.el9ap
Red Hat/Red Hat Ansible Automation Platform 2.4 for RHEL 9
0:3.28.32-1.el9ap
... and 4 more
Published
Aug 07, 2024
Tracked Since
Feb 18, 2026