Flaw in Pulp Package Allows Oldest User with Task Permissions to Control Object Creation
CVE-2024-7143

8.3HIGH

Key Information:

Status
Red Hat Ansible Automation Platform 1.2
Red Hat Ansible Automation Platform 2
Red Hat Satellite 6
Vendor
CVE Published:
7 August 2024

What is CVE-2024-7143?

A vulnerability exists in the Pulp package due to a flaw in the configuration of role-based access control (RBAC) settings. When a RBAC object is created, the process for assigning permissions incorrectly utilizes the AutoAddObjPermsMixin, specifically the add_roles_for_object_creator method. This method determines the object creator based on the current authenticated user; however, if the object is created within a task, the user with the earliest permissions to the task will be designated as the current user. This results in situations where the actual creator of the task does not receive appropriate permissions, allowing the oldest user with model/domain-level task permissions to exploit this flaw. Consequently, all objects generated in tasks end up with permissions linked to this oldest user, undermining the intended access control measures.

References

https://access.redhat.com/errata/RHSA-2024:6765
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-7143
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2300125
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
6.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.