A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:LPulpproject Pulp
APPPulpprojectwszystkie wersjeRed Hat Ansible Automation Platform
APPRedhat2.0
Related vulnerabilities
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt capture...
A template injection flaw was found in Ansible where a user's controller internal templating operations may re...
A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints ou...
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to...
A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This f...