RedhatCVELIST:CVE-2024-7923CVE-2024-7923 Puppet-pulpcore: an authentication bypass vulnerability exists in pulpcore
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
30.0%
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache’s mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.
CNA Affected
[
{
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.13 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "foreman-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "1:3.5.2.8-1.el8sat",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:satellite:6.13::el8",
"cpe:/a:redhat:satellite_utils:6.13::el8",
"cpe:/a:redhat:satellite_capsule:6.13::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.13 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "foreman-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "1:3.5.2.8-1.el8sat",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:satellite:6.13::el8",
"cpe:/a:redhat:satellite_utils:6.13::el8",
"cpe:/a:redhat:satellite_capsule:6.13::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.14 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "foreman-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "1:3.7.0.8-1.el8sat",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:satellite:6.14::el8",
"cpe:/a:redhat:satellite_capsule:6.14::el8",
"cpe:/a:redhat:satellite_utils:6.14::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.14 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "foreman-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "1:3.7.0.8-1.el8sat",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:satellite:6.14::el8",
"cpe:/a:redhat:satellite_capsule:6.14::el8",
"cpe:/a:redhat:satellite_utils:6.14::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.15 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "foreman-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "1:3.9.3.4-1.el8sat",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:satellite_utils:6.15::el8",
"cpe:/a:redhat:satellite_capsule:6.15::el8",
"cpe:/a:redhat:satellite:6.15::el8"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Satellite 6.15 for RHEL 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "foreman-installer",
"defaultStatus": "affected",
"versions": [
{
"version": "1:3.9.3.4-1.el8sat",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:satellite_utils:6.15::el8",
"cpe:/a:redhat:satellite_capsule:6.15::el8",
"cpe:/a:redhat:satellite:6.15::el8"
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
30.0%