Bug 1905758 (CVE-2020-27831)

Summary: CVE-2020-27831 quay: email notifications authorization bypass
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bdettelb, kmullins, security-response-team, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
See Also: https://issues.redhat.com/browse/PROJQUAY-1366
https://issues.redhat.com/browse/PROJQUAY-1372
https://issues.redhat.com/browse/PROJQUAY-1373
Whiteboard:
Fixed In Version: Quay 3.3.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications. This flaw allows an attacker to add email addresses they do not own to repository notifications.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-11 12:27:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1905285, 1939569    

Description Jason Shepherd 2020-12-09 01:27:03 UTC 
Red Hat Quay doesn't properly protect the authorization token when authorizing email address for repository email notifications. An attacker can use this flaw to add email address which they don't own to repository notifications.
Comment 4 Jason Shepherd 2020-12-09 23:16:08 UTC 
Upstream commit:
https://github.com/quay/quay/pull/614
Comment 5 Jason Shepherd 2020-12-09 23:21:51 UTC 
Acknowledgments:

Name: Chen Cohen (eBay)
Comment 6 Jason Shepherd 2020-12-10 00:21:51 UTC 
Mitigation:

Disable email using the configuration app.
Comment 7 errata-xmlrpc 2021-01-11 07:33:30 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0050 https://access.redhat.com/errata/RHSA-2021:0050
Comment 8 Product Security DevOps Team 2021-01-11 12:27:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27831