Key Information Vulnerability Description CVE Number: CVE-2024-7923 Public Disclosure Date: September 4, 2024 Last Modified Date: September 4, 2024 Severity: Approved Impact: Misconfiguration in Pulpcore with Gunicorn versions prior to 22.0 leads to an authentication bypass vulnerability. Affected Systems Affected Satellite Deployment Versions: 6.13, 6.14, and 6.15 Affected Pulpcore Versions: 3.0+ Potential Impact: Unauthorized users may gain administrative access. Exploitation Exploitation Method: Apache’s mod_proxy does not properly clear underscores in HTTP headers, allowing authentication bypass via malformed headers. Demonstration Demonstration Method: Bypass authentication using specific request headers. Remediation Fix: A patch has been released to address this vulnerability. CVSS Score CVSS v3 Base Score: 9.8 CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Frequently Asked Questions Q: Why does Red Hat’s CVSS v3 score differ from other vendors? Q: My product is listed as “under investigation” or “affected”—when will Red Hat release a fix? Q: If my product is listed as “unfixable,” what should I do? Q: What are mitigations? Q: I have a Red Hat product, but it’s not listed above—am I affected? Q: Why does my security scanner report my product is affected by this vulnerability, even though my product version is patched or unaffected? Additional Information Source: CVE-2024-7923 External Reference: CVE-2024-7923 Affected Packages and Red Hat Security Patches: A patch has been released to fix this vulnerability. Summary This vulnerability is an authentication bypass flaw affecting Pulpcore configurations with Gunicorn versions prior to 22.0. Affected Satellite deployment versions include 6.13, 6.14, and 6.15, and affected Pulpcore versions are 3.0+. The vulnerability is exploited by leveraging Apache’s mod_proxy failing to properly clear underscores in HTTP headers. A patch has been released to remediate this issue.