Plain Text Database Vulnerability Exposes Quay's Redis Instance to Attack
CVE-2024-3625

7.3HIGH

Key Information:

Vendor: Red Hat
Status: Mirror Registry For Red Hat Openshift
Vendor: CVE Published:; 25 April 2024

Summary

A significant data exposure vulnerability has been identified in Quay, a popular container registry operated by Red Hat. The flaw arises from storing the Quay database in plain text within the mirror-registry configuration file, config.yaml. This configuration exposes critical data, potentially allowing malicious actors who gain access to this file to connect to the accessible Redis instance linked to Quay. This vulnerability underscores the importance of securing sensitive configuration files to prevent unauthorized access to backend services.

References

https://access.redhat.com/security/cve/CVE-2024-3625

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2274408

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 25, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Solomon Roberts (BadgerOps.net works) for reporting this issue.