CVE-2024-7143: Pulpcore: rbac permissions incorrectly assigned in tasks that create objects
A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
Security readout for executives and security teams
Plain-English summary
Pulp can assign permissions for objects created by background tasks to the wrong user. Instead of granting access to the person who started the task, it may grant access to the oldest user with task-level permissions. This can expose or alter managed content permissions, but the sources rate it medium and require already high privileges.
Executive priority
Treat this as a moderate-priority access-control issue. It is unlikely to be broadly exploitable without privileged access, but affected automation platforms may misassign permissions in ways that expose sensitive content or disrupt administrative workflows.
Technical view
AutoAddObjPermsMixin identifies an object creator from the current authenticated user. For task-created objects, that user may be derived from the first user with permissions on the task object, not the dispatcher. Task-created objects can therefore receive RBAC permissions for the wrong account, leaving the actual creator without assigned access.
Likely exposure
The bundle identifies Red Hat Ansible Automation Platform 2 pulpcore packages as affected. Red Hat Satellite 6 and Red Hat Update Infrastructure 4 are listed as unaffected. Exposure is most relevant where Pulp task workflows create RBAC-protected objects and multiple privileged users have task permissions.
Exploitation context
No KEV listing or cited source in the bundle indicates active exploitation. The CVSS vector requires high privileges, with network access, low attack complexity, no user interaction, and potential high confidentiality and integrity impact plus low availability impact.
Researcher notes
Focus analysis on task execution identity and RBAC assignment paths around AutoAddObjPermsMixin and add_roles_for_object_creator. Evidence supports permission misassignment during task-created object creation; the bundle does not provide exploit proof, fixed version details, or active exploitation evidence.
Mitigation direction
Apply updates from RHSA-2024:6765 where applicable.
Check Red Hat and Pulp guidance for fixed pulpcore versions.
Review privileged task-permission assignments in affected Pulp deployments.
Limit broad model or domain-level task permissions to required administrators.
Audit unexpected RBAC grants on objects created by tasks.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-277: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
2ADP providers
7Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-277 · source CWE mapping
Insecure Inherited Permissions
Insecure Inherited Permissions represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.