A path traversal flaw was found in the ISO repository plugin for pulp. An attacker, with access to a repository feeding pulp can carefully craft his repository to overwrite arbitrary files owned by the Apache webserver.
A flaw was found in pulp 2.16.x and possibly older. A malicious user or a malicious iso feed repository can write to locations accessible to the ‘apache’ user. This may lead to overwrite of published content on other iso repositories.
Red Hat Enterprise Virtualization Hypervisor includes only selected components of pulp, which are not affected by this flaw.
Name: Simon Baatz (Telekom Deutschland GmbH)
Created pulp tracking bugs for this issue:
Affects: fedora-all [bug 1616079]
Red Hat Update Infrastructure (RHUI) does not ship ISO content so the vulnerability cannot be triggered during regular usage of rhui-manager. However a user could still run (or be tricked into running) pulp commands to trigger the vulnerability on the Red Hat Update Appliance (RHUA).
This issue has been addressed in the following products:
Red Hat Satellite 6.5 for RHEL 7
Via RHSA-2019:1222 https://access.redhat.com/errata/RHSA-2019:1222