Search for packages
| purl | pkg:pypi/pulpcore@3.6.5.post2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1xj7-2e48-73d2
Aliases: CVE-2024-7143 GHSA-9m5j-4xx9-44j9 |
Pulp incorrectly assigns RBAC permissions in tasks that create objects A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-16T23:05:37.298950+00:00 | GitLab Importer | Affected by | VCID-1xj7-2e48-73d2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pulpcore/CVE-2024-7143.yml | 38.4.0 |
| 2026-04-12T00:23:35.309391+00:00 | GitLab Importer | Affected by | VCID-1xj7-2e48-73d2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pulpcore/CVE-2024-7143.yml | 38.3.0 |
| 2026-04-03T00:31:13.125689+00:00 | GitLab Importer | Affected by | VCID-1xj7-2e48-73d2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pulpcore/CVE-2024-7143.yml | 38.1.0 |