Bug #37787: CVE-2024-7923: Authentication bypass in Pulpcore - Installer - Foreman

Actions

Copy link

Bug #37787

closed

CVE-2024-7923: Authentication bypass in Pulpcore

Added by Ewoud Kohl van Wijngaarden 4 days ago. Updated 4 days ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Foreman modules

Target version:

Foreman - 3.10.1

Difficulty:

Triaged:

Yes

Bugzilla link:

Pull request:

Fixed in Releases:

Foreman - 3.10.1, Foreman - 3.11.2, Foreman - 3.12.0

Found in Releases:

Foreman - 2.4.0

Red Hat JIRA:

Description

An authentication bypass vulnerability has been identified in Pulpcore when deployed by the Foreman Installer with Gunicorn versions prior to 22.0.

This issue arises from the way Apache is configured to do certificate authentication and pass this information to the Gunicorn backend, without unsetting all headers coming from a possibly malicious client.

History
Property changes
Associated revisions

Actions

Copy link

Updated by Ewoud Kohl van Wijngaarden 4 days ago

Target version set to 3.10.1

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Foreman » Installer

Custom queries

Bug #37787

CVE-2024-7923: Authentication bypass in Pulpcore

Updated by Ewoud Kohl van Wijngaarden 4 days ago