Main Vulnerability Database Vulnerabilities #VU34916

Insufficiently protected credentials in Quay - CVE-2019-10205

Published: January 2, 2020 / Updated: August 8, 2020

Vulnerability identifier: #VU34916

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-10205

CWE-ID: CWE-522

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Quay

Detailed vulnerability description

The vulnerability allows a local privileged user to #BASIC_IMPACT#.

A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry.

How to mitigate CVE-2019-10205

Install update from vendor's website.

Sources

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10205

Insufficiently protected credentials in Quay - CVE-2019-10205

Detailed vulnerability description

How to mitigate CVE-2019-10205

Sources

Please verify you're human