Homepage

Insecure Inherited Permissions The advisory has been revoked - it doesn't affect any version of package py3-pulp  (opens in a new tab)

Threat Intelligence

EPSS
0.04% (14th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-PY3PULP-15111848
  • published27 Jan 2026
  • disclosed7 Aug 2024
Report a new vulnerability Found a mistake?

Introduced: 7 Aug 2024

CVE-2024-7143  (opens in a new tab)
CWE-277  (opens in a new tab)

Amendment

The Chainguard security team deemed this advisory irrelevant for Chainguard:latest.

NVD Description

Note: Versions mentioned in the description apply only to the upstream py3-pulp package and not the py3-pulp package as distributed by Chainguard.

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the AutoAddObjPermsMixin (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.