CVE-2024-7923
published 2024-09-04CVE-2024-7923: An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.81%
52.4th percentile
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| redhat | satellite | — | — |
| redhat | satellite | — | — |
| redhat | satellite | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is achieved by sending a malformed HTTP header containing underscores, which Apache mod_proxy fails to unset due to restrictions on underscores in HTTP headers, allowing the header to pass through to Gunicorn/Pulpcore as a trusted authentication header. ↗
- →Monitor for unexpected administrative access or privilege escalation in Pulpcore/Satellite deployments, particularly requests that include HTTP headers with underscores that should normally be stripped by mod_proxy. ↗
- ·Vulnerability only affects Pulpcore deployments using Gunicorn versions prior to 22.0 with the puppet-pulpcore configuration. Upgrading Gunicorn to 22.0+ mitigates the issue. ↗
- ·Red Hat Update Infrastructure (RHUI) 4 for Cloud Providers is NOT affected because there is no public access to Pulp by RHUI users. ↗
- ·No mitigation is currently available that meets Red Hat Product Security criteria; patching/upgrading is the recommended path. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
puppet-pulpcore: An authentication bypass vulnerability exists in pulpcore
vendor_redhat·2024-09-04·CVSS 9.8
CVE-2024-7923 [CRITICAL] CWE-287 puppet-pulpcore: An authentication bypass vulnerability exists in pulpcore
puppet-pulpcore: An authentication bypass vulnerability exists in pulpcore
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from
GHSA
GHSA-pmjc-mxf4-8qwx: An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22
ghsa_unreviewed·2024-09-04
CVE-2024-7923 [CRITICAL] CWE-287 GHSA-pmjc-mxf4-8qwx: An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22
An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-09-04
Published