CVE-2024-7923

Name of the Vulnerable Software and Affected Versions Pulpcore versions 3.0 and later Gunicorn versions prior to 22.0

Description An authentication bypass issue has been identified due to Apache's mod proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14, and 6.15) which are using Pulpcore version 3.0+ and could potentially enable unauthorized users to gain administrative access.

Recommendations For Pulpcore versions 3.0 and later, update Gunicorn to version 22.0 or later to resolve the issue. For Gunicorn versions prior to 22.0, consider disabling the use of Apache's mod proxy until a patch is available. As a temporary workaround, restrict access to the vulnerable configuration to minimize the risk of exploitation.