CVE-2018-10917
Description
pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Pulp 2.16.x has an improper path parsing flaw allowing a malicious user or ISO feed repository to write files to locations accessible by the 'apache' user, potentially overwriting published content on other ISO repositories.
Vulnerability
Pulp versions 2.16.x (and possibly older) contain an improper path parsing vulnerability in the ISO repository handling code. The issue allows a malicious user with repository write access, or a malicious ISO feed repository, to inject crafted paths that bypass normal path validation. This enables writing files to arbitrary directories accessible to the 'apache' user on the Pulp server [1][2][3][4].
Exploitation
An attacker must have valid credentials to write to a Pulp ISO repository, or be able to supply a malicious ISO feed repository that Pulp syncs from. The attacker crafts an ISO feed or file metadata with path elements (such as ../) that are not properly sanitized. When Pulp processes the feed, it writes content to a location on the filesystem outside of the intended repository storage directory [4].
Impact
Successful exploitation allows the attacker to write arbitrary files to paths writable by the 'apache' user. This can lead to overwriting published content of other ISO repositories, potentially altering or replacing trusted software packages. The attacker may also be able to place malicious files that could be served to users, leading to further compromise [4].
Mitigation
A fix is included in Red Hat Satellite 6.5 (errata RHSA-2019:1222) and Red Hat Enterprise Linux 7 (errata RHEA-2019:1283). Users should upgrade to the patched versions of Pulp (2.16.x after the fix) provided in these errata. There is no known workaround; the recommended mitigation is to apply updates immediately [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pulpcorePyPI | <= 2.16 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2019:1222ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-574p-6fw4-4hw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10917ghsaADVISORY
- access.redhat.com/errata/RHEA-2019:1283ghsaWEB
- access.redhat.com/security/cve/CVE-2018-10917ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.