Mirror-registry Flaw Exposes Quay Database Secrets
CVE-2024-3623

8.1HIGH

Key Information:

Vendor: Red Hat
Status: Mirror Registry For Red Hat Openshift
Vendor: CVE Published:; 25 April 2024

Summary

A vulnerability exists in Quay's installation process via the mirror-registry, where a default database secret key is inadvertently stored in plain text within a configuration template file. This design flaw permits any instance of Quay deployed through this method to share the same database secret key, potentially compromising sensitive information. If exploited, this vulnerability allows malicious actors to gain unauthorized access to the database, posing significant risks to data integrity and confidentiality.

References

https://access.redhat.com/security/cve/CVE-2024-3623

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2274404

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 25, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Solomon Roberts (BadgerOps.net works) for reporting this issue.