CVE-2024-7143 is a vulnerability in the Pulp package's role-based access control (RBAC) mechanism, specifically in how permissions are assigned to objects created within tasks. Pulp uses the AutoAddObjPermsMixin, typically the add_roles_for_object_creator method, to assign permissions to the creator of an object by identifying the current authenticated user. However, when objects are created inside tasks, the 'current user' is incorrectly set to the oldest user with any model or domain-level permissions on the task object, rather than the actual user who dispatched or created the task. As a result, permissions for newly created objects are assigned to this oldest user, while the actual creator receives no permissions. This flaw can lead to unauthorized access where an unintended user gains control over objects they did not create, potentially enabling privilege escalation or unauthorized data access. The vulnerability requires an authenticated user with some level of task permissions but does not require user interaction. The CVSS 3.0 score is 6.7, indicating medium severity, with network attack vector, low attack complexity, high confidentiality and integrity impact, and low availability impact. No known exploits are currently reported in the wild. The flaw affects all versions of Pulp prior to the fix and is particularly relevant in environments where Pulp is used for content management, software distribution, or automation tasks.

For European organizations, this vulnerability poses a risk of unauthorized access and privilege escalation within systems using Pulp for package management or content distribution. Misassigned permissions could allow an unintended user to access, modify, or control objects they should not have rights to, potentially leading to data breaches or operational disruptions. Confidentiality and integrity of sensitive data managed by Pulp could be compromised. Organizations relying on automated task workflows may experience permission inconsistencies, complicating audit and compliance efforts under regulations such as GDPR. The impact is heightened in sectors with strict data governance requirements, including finance, healthcare, and government. Although availability impact is low, the trustworthiness and security posture of affected systems could be undermined, increasing risk exposure. The requirement for authenticated users with task permissions limits exploitation scope but does not eliminate risk, especially in environments with multiple administrators or users with elevated privileges.

To mitigate CVE-2024-7143, organizations should first audit and review current task-level permissions within Pulp, ensuring only trusted and necessary users have such privileges. Implement strict role separation and least privilege principles to minimize the number of users with task permissions. Monitor and log task creation and permission assignments to detect anomalies. Apply any available patches or updates from Pulp maintainers promptly once released. If patches are not yet available, consider implementing compensating controls such as restricting task creation to a limited set of users or disabling automated task workflows where feasible. Conduct regular permission reviews and access control audits to identify and correct misassignments. Educate administrators on the implications of task permissions and the importance of proper RBAC configuration. Finally, integrate Pulp security monitoring into broader organizational security operations to detect potential misuse stemming from this vulnerability.