Home > Vulnerability Database > CVE-2024-7923

Mend.io Vulnerability Database

CVE-2024-7923

Date: September 4, 2024

An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.

Language: Ruby

Severity Score

9.8

Related Resources (8)

Url: https://access.redhat.com/errata/RHSA-2024:6335

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-7923

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2305718

Url: https://access.redhat.com/errata/RHSA-2024:6337

Url: https://access.redhat.com/errata/RHSA-2024:6336

Url: https://access.redhat.com/errata/RHSA-2024:8906

Url: https://access.redhat.com/security/cve/CVE-2024-7923

Url: https://www.mend.io/vulnerability-database/CVE-2024-7923

Severity Score

9.8

Weakness Type (CWE)

Improper Authentication

CWE-287

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-7923

Date: September 4, 2024

Language: Ruby

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?