Bug 2300125 (CVE-2024-7143)

Summary: CVE-2024-7143 pulpcore: RBAC permissions incorrectly assigned in tasks that create objects
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brking, ehelms, ggainey, gtanzill, haoli, hkataria, jcammara, jmitchel, jneedle, juwatts, kshier, mabashia, mhulan, mminar, nmoumoul, osoukup, pbraun, pcreech, rbiba, rchan, security-response-team, simaishi, smallamp, smcdonal, sskracic, stcannon, teagle, tfister, thavo, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robb Gatica 2024-07-26 19:05:14 UTC 
When an RBAC object in Pulp is set to assign perms on its creation it uses the AutoAddObjPermsMixin, typically the method add_roles_for_object_creator. This method finds the object creator by checking the current authenticated user. For objects that are created within a task this current user is set by the *first* user with *any* perms on the task object. This means the *oldest* user with model/domain-level  task perms will always be set to the current user of a task even if they didn't dispatch the task. Thus all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
Comment 3 errata-xmlrpc 2024-09-18 16:04:21 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765