Unrated severityNVD Advisory· Published Sep 4, 2024· Updated Nov 11, 2025

Puppet-pulpcore: an authentication bypass vulnerability exists in pulpcore

CVE-2024-7923

Description

An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.

Affected products

Benoitc/Gunicorninferred
Range: <22.0
Red Hat/Satellitellm-fuzzy
Range: 6.13, 6.14, 6.15
Pulp/Pulpcorellm-fuzzy

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2024:6335mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2024:6336mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2024:6337mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2024:8906mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/security/cve/CVE-2024-7923mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000