Quay: stored cross site scripting
CVE-2023-3384

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Quay 3
Vendor: CVE Published:; 24 July 2023

Summary

A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS).

References

https://access.redhat.com/security/cve/CVE-2023-3384

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2216924

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jul 24, 2023
Vulnerability Reserved
Jun 23, 2023

Credit

This issue was discovered by Angel Olle Blazquez (Red Hat).