Bug 1768297 (CVE-2019-3865)
| Summary: | CVE-2019-3865 quay: Stored XSS in super user function | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdettelb, jschorr, tomckay |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A stored XSS vulnerability has been found in the super user function of quay. Attackers are able to use the name field of service key to inject scripts and make it run when admin users try to change the name.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-11-11 06:52:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1768294 | ||
|
Description
Jason Shepherd
2019-11-04 01:29:19 UTC
Acknowledgments: Name: Jeremy Choi (Red Hat) This bug was addressed with both closing of the client side XSS issue AND server side validation of the service key name in a change that was released this past summer This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3865 |