pulpproject CVE Vulnerabilities & Metrics

Focus on pulpproject vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About pulpproject Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with pulpproject. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total pulpproject CVEs: 15
Earliest CVE date: 03 Apr 2017, 15:59 UTC
Latest CVE date: 07 Aug 2024, 17:15 UTC

Latest CVE reference: CVE-2024-7143

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical pulpproject CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 3.79

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	7
4.0-6.9	7
7.0-8.9	0
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS pulpproject CVEs

These are the five CVEs with the highest CVSS scores for pulpproject, sorted by severity first and recency.

CVE-2015-5164 pulpproject Published on 18 Oct 2017, 16:29 UTC (CVSS: 9.0)
The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp.
CVE-2015-5263 pulpproject Published on 25 Sep 2017, 21:29 UTC (CVSS: 6.8)
pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.
CVE-2018-1090 pulpproject Published on 18 Jun 2018, 14:29 UTC (CVSS: 5.0)
In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.
CVE-2016-3704 pulpproject Published on 13 Jun 2017, 17:29 UTC (CVSS: 5.0)
Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords.
CVE-2016-3112 pulpproject Published on 08 Jun 2017, 18:29 UTC (CVSS: 5.0)
client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.

All CVEs for pulpproject

CVE-2024-7143 pulpproject vulnerability CVSS: 0 07 Aug 2024, 17:15 UTC

A flaw was found in the Pulp package. When a role-based access control (RBAC) object in Pulp is set to assign permissions on its creation, it uses the `AutoAddObjPermsMixin` (typically the add_roles_for_object_creator method). This method finds the object creator by checking the current authenticated user. For objects that are created within a task, this current user is set by the first user with any permissions on the task object. This means the oldest user with model/domain-level task permissions will always be set as the current user of a task, even if they didn't dispatch the task. Therefore, all objects created in tasks will have their permissions assigned to this oldest user, and the creating user will receive nothing.

CVE-2022-3644 pulpproject vulnerability CVSS: 0 25 Oct 2022, 18:15 UTC

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

CVE-2018-10917 pulpproject vulnerability CVSS: 4.0 15 Aug 2018, 17:29 UTC

pulp 2.16.x and possibly older is vulnerable to an improper path parsing. A malicious user or a malicious iso feed repository can write to locations accessible to the 'apache' user. This may lead to overwrite of published content on other iso repositories.

CVE-2018-1090 pulpproject vulnerability CVSS: 5.0 18 Jun 2018, 14:29 UTC

In Pulp before version 2.16.2, secrets are passed into override_config when triggering a task and then become readable to all users with read access on the distributor/importer. An attacker with API access can then view these secrets.

CVE-2015-5164 pulpproject vulnerability CVSS: 9.0 18 Oct 2017, 16:29 UTC

The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp.

CVE-2015-5263 pulpproject vulnerability CVSS: 6.8 25 Sep 2017, 21:29 UTC

pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration.

CVE-2016-3704 pulpproject vulnerability CVSS: 5.0 13 Jun 2017, 17:29 UTC

Pulp before 2.8.5 uses bash's $RANDOM in an unsafe way to generate passwords.

CVE-2016-3696 pulpproject vulnerability CVSS: 2.1 13 Jun 2017, 16:29 UTC

The pulp-qpid-ssl-cfg script in Pulp before 2.8.5 allows local users to obtain the CA key.

CVE-2016-3095 pulpproject vulnerability CVSS: 2.1 08 Jun 2017, 19:29 UTC

server/bin/pulp-gen-ca-certificate in Pulp before 2.8.2 allows local users to read the generated private key.

CVE-2016-3112 pulpproject vulnerability CVSS: 5.0 08 Jun 2017, 18:29 UTC

client/consumer/cli.py in Pulp before 2.8.3 writes consumer private keys to etc/pki/pulp/consumer/consumer-cert.pem as world-readable, which allows remote authenticated users to obtain the consumer private keys and escalate privileges by reading /etc/pki/pulp/consumer/consumer-cert, and authenticating as a consumer user.

CVE-2016-3111 pulpproject vulnerability CVSS: 2.1 08 Jun 2017, 18:29 UTC

pulp.spec in the installation process for Pulp 2.8.3 generates the RSA key pairs used to validate messages between the pulp server and pulp consumers in a directory that is world-readable before later modifying the permissions, which might allow local users to read the generated RSA keys via reading the key files while the installation process is running.

CVE-2016-3108 pulpproject vulnerability CVSS: 3.6 08 Jun 2017, 18:29 UTC

The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.

CVE-2016-3107 pulpproject vulnerability CVSS: 2.1 08 Jun 2017, 18:29 UTC

The Node certificate in Pulp before 2.8.3 contains the private key, and is stored in a world-readable file in the "/etc/pki/pulp/nodes/" directory, which allows local users to gain access to sensitive data.

CVE-2016-3106 pulpproject vulnerability CVSS: 5.0 13 Apr 2017, 14:59 UTC

Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner.

CVE-2013-7450 pulpproject vulnerability CVSS: 5.0 03 Apr 2017, 15:59 UTC

Pulp before 2.3.0 uses the same the same certificate authority key and certificate for all installations.