cbcvebase.
CVE-2024-7923
published 2024-09-04

CVE-2024-7923: An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.4th percentile
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.

Affected

3 ranges
VendorProductVersion rangeFixed in
redhatsatellite
redhatsatellite
redhatsatellite

Detection & IOCsextracted from sources · hover to see the quote

  • Authentication bypass is achieved by sending a malformed HTTP header containing underscores, which Apache mod_proxy fails to unset due to restrictions on underscores in HTTP headers, allowing the header to pass through to Gunicorn/Pulpcore as a trusted authentication header.
  • Monitor for unexpected administrative access or privilege escalation in Pulpcore/Satellite deployments, particularly requests that include HTTP headers with underscores that should normally be stripped by mod_proxy.
  • ·Vulnerability only affects Pulpcore deployments using Gunicorn versions prior to 22.0 with the puppet-pulpcore configuration. Upgrading Gunicorn to 22.0+ mitigates the issue.
  • ·Red Hat Update Infrastructure (RHUI) 4 for Cloud Providers is NOT affected because there is no public access to Pulp by RHUI users.
  • ·No mitigation is currently available that meets Red Hat Product Security criteria; patching/upgrading is the recommended path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.