Quay's Database Vulnerability: Plain-Text Storage Exposes Sensitive Data
CVE-2024-3624

7.3HIGH

Key Information:

Vendor: Red Hat
Status: Mirror Registry For Red Hat Openshift
Vendor: CVE Published:; 25 April 2024

Summary

A security issue has been identified in Quay, a container registry service by Red Hat, involving the insecure storage of database credentials within the mirror-registry's configuration file (config.yaml). This flaw permits malicious actors, who gain access to this file, to retrieve sensitive database information, compromising the integrity and confidentiality of the data stored within Quay's database. It emphasizes the importance of securing configuration files and utilizing encryption for sensitive data storage to mitigate potential security threats.

References

https://access.redhat.com/security/cve/CVE-2024-3624

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2274407

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 25, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Solomon Roberts (BadgerOps.net works) for reporting this issue.