Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries on the Red Hat Quay database could use the tokens to read or write container images stored in the registry as the compromised robot account.
Acknowledgments: Name: Sean Smith (F5 Networks)
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2019:4341 https://access.redhat.com/errata/RHSA-2019:4341
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10205