Executive Summary

Informations
Name CVE-2024-7143 First vendor Publication 2024-08-07
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Overall CVSS Score 8.3
Base Score 8.3 Environmental Score 8.3
impact SubScore 5.5 Temporal Score 8.3
Exploitabality Sub Score 2.8
 
Attack Vector Network Attack Complexity Low
Privileges Required Low User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact Low
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7143

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1

Sources (Detail)

https://access.redhat.com/errata/RHSA-2024:6765
https://access.redhat.com/security/cve/CVE-2024-7143
https://bugzilla.redhat.com/show_bug.cgi?id=2300125
https://github.com/pulp/pulpcore/blob/93f241f34c503da0fbac94bdba739feda2636e1...
https://github.com/pulp/pulpcore/blob/main/CHANGES.md
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2024-11-25 09:23:14
  • Multiple Updates
2024-09-19 00:27:46
  • Multiple Updates
2024-09-17 17:27:44
  • Multiple Updates
2024-08-08 00:27:22
  • Multiple Updates
2024-08-07 21:27:25
  • First insertion