Bug 1732190 (CVE-2019-10205) - CVE-2019-10205 quay: Red Hat Quay stores robot account tokens in plain text
Summary: CVE-2019-10205 quay: Red Hat Quay stores robot account tokens in plain text
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10205
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1732223
Blocks: 1732186
TreeView+ depends on / blocked
 
Reported: 2019-07-23 01:31 UTC by Jason Shepherd
Modified: 2021-02-16 21:38 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry.
Clone Of:
Environment:
Last Closed: 2019-12-19 20:09:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:4341 0 None None None 2019-12-19 15:47:23 UTC

Description Jason Shepherd 2019-07-23 01:31:42 UTC 
Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries on the Red Hat Quay database could use the tokens to read or write container images stored in the registry as the compromised robot account.
Comment 2 Jason Shepherd 2019-07-23 04:25:03 UTC 
Acknowledgments:

Name: Sean Smith (F5 Networks)
Comment 10 errata-xmlrpc 2019-12-19 15:47:22 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2019:4341 https://access.redhat.com/errata/RHSA-2019:4341
Comment 11 Product Security DevOps Team 2019-12-19 20:09:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10205
Note You need to log in before you can comment on or make changes to this bug.