EUVD-2022-2518

Malicious code in bioql PyPI...

EUVD-2024-2549

Malicious code in bioql PyPI...

pulpcore: RBAC permissions incorrectly assigned in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

Incorrect Permission Assignment

Pulp is vulnerable to Incorrect Permission Assignment. The vulnerability is due to the use of the AutoAddObjPermsMixin method, which sets permissions based on the oldest user with task permissions. This allows an attacker to gain unauthorized access or privileges, as the permissions for objects...

galaxy-ng (>=4.2.0a3 <=4.9.2), pulp-2to3-migration (>=0.0.1b1 <=0.17.0) +16 more potentially affected by CVE-2024-7143 via pulpcore (>=3.0.1 <=3.54.1)

pulpcore PYPI version =3.0.1, =4.2.0a3, =0.0.1b1, =0.2.0b6, =0.1.0rc4, =1.0.0, =0.1.0b4, =2.0.0b3, =0.1.0, =0.1.0, =0.1.0, =0.1.0a1.dev0, =2.0.0, =3.0.0, =3.0.0, =3.36.0 and more Source cves: CVE-2024-7143 Source advisory: OSV:GHSA-9M5J-4XX9-44J9...

GHSA-9M5J-4XX9-44J9 Pulp incorrectly assigns RBAC permissions in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

Pulp incorrectly assigns RBAC permissions in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

CVE-2024-7143

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

CVE-2024-7143

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

CVE-2024-7143

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

CVE-2024-7143 Pulpcore: rbac permissions incorrectly assigned in tasks that create objects

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

CVE-2024-7143

CVE-2024-7143 – Affected: Pulp RBAC object creation using AutoAddObjPermsMixin; root cause is that the system determines the object creator from the current authenticated user, which on tasks is inherited from the oldest user with task permissions. As a result, permissions on objects created with...

CVE-2024-7143

A flaw was found in the Pulp package. When a role-based access control RBAC object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin typically the addrolesforobjectcreator method. This method finds the object creator by checking the current authenticated user...

PT-2024-38106

Name of the Vulnerable Software and Affected Versions Pulp affected versions not specified Description A flaw was found in the Pulp package related to role-based access control RBAC objects. When an RBAC object is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin,...

Pulp 安全漏洞

Pulp is an open source project from Pulp Open Source that enables developers to easily fetch, upload and distribute software packages locally or in the cloud. A security vulnerability exists in Pulp that stems from a problem with the way role-based access control objects are assigned permissions ...

RHEL 5 / 6 : CloudForms System Engine 1.1 update (Important) (RHSA-2012:1543)

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1543 advisory. Red Hat CloudForms is an on-premise hybrid cloud Infrastructure-as-a-Service IaaS product that lets you create and manage private and...

galaxy-ng (>=4.2.0 <=4.4.5), pulp-ansible (>=0.2.0 <=0.6.2) potentially affected by CVE-2023-5189 via galaxy-importer (>=0.1.1 <=0.4.0)

galaxy-importer PYPI version =0.1.1, =4.2.0, =0.2.0, =0.6.2 Source cves: CVE-2023-5189 Source advisory: OSV:GHSA-55G2-VM3Q-7W52...

Pulp: Tokens stored in plaintext

A flaw exists in the collection remote for pulpansible, where tokens are stored in plaintext instead of using pulp's encrypted field. This flaw allows an attacker with sufficient privileges to read the stored tokens, resulting in the loss of confidentiality...

Low: Red Hat Security Advisory: RHUI 4.3.0 release - Security Fixes, Bug Fixes, and Enhancements Update

An updated version of Red Hat Update Infrastructure RHUI is now available. RHUI 4.3 fixes a security bug, introduces multiple new features, and upgrades underlying Pulp to a Long Term Support LTS version. Red Hat Update Infrastructure RHUI offers a highly scalable, highly redundant framework that...

Information Disclosure

pulp-ansible is vulnerable to Information Disclosure. The vulnerability exists because the requirementsfile parameter in models.py stores tokens in plain text instead of using pulp's encrypted field, allowing an attacker to modify tokens via the API...