Key Information Vulnerability Description CVE Number: CVE-2024-7143 Public Disclosure Date: August 7, 2024 Last Modified Date: August 7, 2024 Severity: Medium Description: A vulnerability has been identified in the Pulp package. When Role-Based Access Control (RBAC) objects in Pulp are configured to assign permissions for objects they create, they utilize (typically via the method). This mechanism identifies the object creator by checking the currently authenticated user. For objects created within tasks, the current user is set as the creator of the task object, even if they did not execute the task. As a result, the oldest user with model/domain-level task permissions will always be designated as the current user for the task, even if they did not perform it. Consequently, all objects created within the task will inherit permissions assigned to this oldest user, while the actual creator receives no permissions. Patch Information Affected Packages and Red Hat Security Patches: - Red Hat Ansible Automation Platform 2 - Red Hat Satellite 6 表 - Red Hat Update Infrastructure 4 for Cloud Providers CVSS Score CVSS v3 Base Score: 6.7 Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: Low Frequently Asked Questions Why does Red Hat’s CVSS v3 score or impact differ from other vendors? My product is listed as “under investigation” or “affected”—when will Red Hat release a patch to fix this vulnerability? If my product is listed as “not being fixed,” what should I do? What are mitigations? I have a Red Hat product, but it’s not listed above—am I affected? Why is my security scanner reporting that my product is affected by this vulnerability, even though my product version is patched or unaffected? Additional Information This page was automatically generated by Red Hat and has not been checked for errors or omissions. Contact Red Hat Product Security for clarification or corrections. Last Modified Date: August 7, 2024, 4:48:25 PM UTC CVE Description Copyright: © 2021