CVE-2024-7923

Published: Sep 4, 2024

Modified: Nov 11, 2025

PUBLISHED

CVSS v3.0

9.8

CRITICAL

Description

An authentication bypass vulnerability has been identified in Pulpcore when deployed with Gunicorn versions prior to 22.0, due to the puppet-pulpcore configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.

Vendor	Product	Versions
Unknown	pulpcore	affected `0 - < 22.0`
Red Hat	Red Hat Satellite 6.13 for RHEL 8	unaffected `1:3.5.2.8-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.13 for RHEL 8	unaffected `1:3.5.2.8-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.14 for RHEL 8	unaffected `1:3.7.0.8-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.14 for RHEL 8	unaffected `1:3.7.0.8-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.15 for RHEL 8	unaffected `1:3.9.3.4-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.15 for RHEL 8	unaffected `1:3.9.3.4-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.16 for RHEL 8	unaffected `1:3.12.0.1-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.16 for RHEL 8	unaffected `1:3.12.0.1-1.el8sat - < *`
Red Hat	Red Hat Satellite 6.16 for RHEL 9	unaffected `1:3.12.0.1-1.el9sat - < *`
Red Hat	Red Hat Satellite 6.16 for RHEL 9	unaffected `1:3.12.0.1-1.el9sat - < *`
Red Hat	Red Hat Update Infrastructure 4 for Cloud Providers	All versions
Red Hat	Red Hat Update Infrastructure 4 for Cloud Providers	All versions
Red Hat	Red Hat Update Infrastructure 4 for Cloud Providers	All versions