Veracode Vulnerability DatabaseVERACODE:48412Incorrect Permission Assignment
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
31.3%
Pulp is vulnerable to Incorrect Permission Assignment. The vulnerability is due to the use of the AutoAddObjPermsMixin method, which sets permissions based on the oldest user with task permissions. This allows an attacker to gain unauthorized access or privileges, as the permissions for objects created in tasks are assigned to the oldest user with task permissions instead of the actual creator.
References
access.redhat.com/errata/RHSA-2024:6765
access.redhat.com/security/cve/CVE-2024-7143
bugzilla.redhat.com/show_bug.cgi?id=2300125
github.com/advisories/GHSA-9m5j-4xx9-44j9
github.com/pulp/pulpcore/blob/93f241f34c503da0fbac94bdba739feda2636e12/pulpcore/tasking/_util.py#L108
github.com/pulp/pulpcore/commit/bd4f76d97473d7d7fb1daedb0f2fae72df39aff1
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
AI Score
Confidence
High
EPSS
Percentile
31.3%