Bug 2300125 (CVE-2024-7143) - CVE-2024-7143 pulpcore: RBAC permissions incorrectly assigned in tasks that create objects
Summary: CVE-2024-7143 pulpcore: RBAC permissions incorrectly assigned in tasks that c...
Keywords:
Status: NEW
Alias: CVE-2024-7143
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-26 19:05 UTC by Robb Gatica
Modified: 2025-06-17 08:27 UTC (History)
30 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6765 0 None None None 2024-09-18 16:04:22 UTC

Description Robb Gatica 2024-07-26 19:05:14 UTC 
When an RBAC object in Pulp is set to assign perms on its creation it uses the AutoAddObjPermsMixin, typically the method add_roles_for_object_creator. This method finds the object creator by checking the current authenticated user. For objects that are created within a task this current user is set by the *first* user with *any* perms on the task object. This means the *oldest* user with model/domain-level  task perms will always be set to the current user of a task even if they didn't dispatch the task. Thus all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
Comment 3 errata-xmlrpc 2024-09-18 16:04:21 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 9
  Red Hat Ansible Automation Platform 2.4 for RHEL 8

Via RHSA-2024:6765 https://access.redhat.com/errata/RHSA-2024:6765
Note You need to log in before you can comment on or make changes to this bug.