Pulpproject Pulpproject

  1. Vendors
  2. Pulpproject

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Pulpproject product.

RSS Feeds for Pulpproject security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Pulpproject products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Pulpproject Sorted by Most Security Vulnerabilities since 2018

Pulpproject Pulp9 vulnerabilities

Pulpproject Pulp Ansible1 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Pulpproject. Pulpproject did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 1 0.00
2023 0 0.00
2022 1 5.50
2021 0 0.00
2020 0 0.00
2019 0 0.00
2018 2 7.50

It may take a day or so for new Pulpproject vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Pulpproject Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2024-7143 Aug 07, 2024
Pulp RBAC flaw causes improper perms via AutoAddObjPermsMixin (CVE-2024-7143) A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.
Pulp
CVE-2022-3644 Oct 25, 2022
Pulp Ansible Remote Token Plaintext Exposure via API The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.
Pulp Ansible
CVE-2018-10917 Aug 15, 2018
pulp 2.16.x and possibly older is vulnerable to an improper path parsing pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.
Pulp
CVE-2018-1090 Jun 18, 2018
In Pulp before version 2.16.2 In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
Pulp
CVE-2016-3704 Jun 13, 2017
Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords. Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords.
Pulp
CVE-2016-3696 Jun 13, 2017
The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key.
Pulp
CVE-2016-3112 Jun 08, 2017
client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.
Pulp
CVE-2016-3111 Jun 08, 2017
pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.
Pulp
CVE-2016-3108 Jun 08, 2017
The pulp-gen-nodes-certificate script in Pulp before 2.8.3 The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.
Pulp
CVE-2016-3107 Jun 08, 2017
The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/pki/pulp/nodes/" directory, which The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/pki/pulp/nodes/" directory, which allows local users to gain access to sensitive data.
Pulp
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.