Cross-Site Request Forgery Vulnerability in Quay Web GUI by Red Hat
CVE-2019-3864

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Quay
Vendor: CVE Published:; 21 January 2020

What is CVE-2019-3864?

A vulnerability exists in the Quay web GUI within all quay-2 versions before quay-3.0.0, where a CSRF token presented in POST requests is not correctly refreshed. This lapse allows an attacker to utilize a leaked CSRF token to perform unauthorized actions on behalf of a user, potentially compromising account security if the token is obtained after a user logs out and back in.

Affected Version(s)

quay all quay-2 versions before quay-3.0.0

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3864

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 21, 2020
Vulnerability Reserved
Jan 3, 2019