VYPR
← All advisories
High severityGHSA Advisory· Published Aug 7, 2024· Updated Mar 20, 2026

Pulpcore: rbac permissions incorrectly assigned in tasks that create objects

CVE-2024-7143

Description

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pulp RBAC flaw causes permissions on objects created in tasks to be assigned to the task's oldest user with permissions, not the actual creator.

Vulnerability

Description A flaw in the Pulp package's role-based access control (RBAC) implementation causes incorrect assignment of object permissions during task execution. The AutoAddObjPermsMixin mixin, specifically the add_roles_for_object_creator method, determines the object creator by checking the current authenticated user context. However, for objects created within a task, this context is set to the first user who has any permissions on the task object, which is typically the oldest user with model/domain-level task permissions, rather than the user who actually dispatched the task. [1][2]

Exploitation

An attacker who is an older user with task permissions within the Pulp system can exploit this by having their permissions context carry over to tasks they did not initiate. As a result, any objects created in those tasks will have their permissions granted to the oldest user with task permissions, not the user who triggered the task. This attack requires that the attacker already has some model/domain-level task permissions, but they do not need to have dispatched the task themselves. [3]

Impact

Successful exploitation leads to privilege escalation where an attacker granted permissions to objects they did not create. The legitimate creating user receives no permissions on the objects they created, potentially locking them out of their own work. This undermines the RBAC model and can lead to unauthorized access or denial of service for legitimate users. [4]

Mitigation

Red Hat has released an advisory (RHSA-2024:6765) with patches to address this vulnerability. Users should update their Pulp installations to the latest version that corrects the permission assignment logic. No workarounds have been publicly documented. The vulnerability affects Pulp packages; checking the advisory for specific version fixes is recommended. [1]

References
  1. https://access.redhat.com/errata/RHSA-2024:6765
  2. cve-details
  3. NVD - CVE-2024-7143
  4. pulpcore/pulpcore/tasking/_util.py at 93f241f34c503da0fbac94bdba739feda2636e12 · pulp/pulpcore

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pulpcorePyPI
<= 3.56.0

Affected products

13

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.