CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
31.3%
Pulp is vulnerable to Incorrect Permission Assignment. The vulnerability is due to the use of the AutoAddObjPermsMixin method, which sets permissions based on the oldest user with task permissions. This allows an attacker to gain unauthorized access or privileges, as the permissions for objects created in tasks are assigned to the oldest user with task permissions instead of the actual creator.
access.redhat.com/errata/RHSA-2024:6765
access.redhat.com/security/cve/CVE-2024-7143
bugzilla.redhat.com/show_bug.cgi?id=2300125
github.com/advisories/GHSA-9m5j-4xx9-44j9
github.com/pulp/pulpcore/blob/93f241f34c503da0fbac94bdba739feda2636e12/pulpcore/tasking/_util.py#L108
github.com/pulp/pulpcore/commit/bd4f76d97473d7d7fb1daedb0f2fae72df39aff1