1768293 – (CVE-2019-3864) CVE-2019-3864 quay: CSRF token does not expire and is leaked in query string

Bug 1768293 (CVE-2019-3864) - CVE-2019-3864 quay: CSRF token does not expire and is leaked in query string

Summary: CVE-2019-3864 quay: CSRF token does not expire and is leaked in query string

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2019-3864
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1768294
TreeView+	depends on / blocked

Reported:	2019-11-04 01:20 UTC by Jason Shepherd
Modified:	2021-02-16 21:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	quay-3.0.0
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was discovered in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. An attacker could use a leaked token to gain access to the system using the user's account.
Clone Of:
Environment:
Last Closed:	2019-11-11 06:51:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jason Shepherd 2019-11-04 01:20:06 UTC

POST requests in the Quay web GUI include the ‘_csrf_token’ parameter which seems is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. Some endpoints also exposed the CSRF Token in query string.

Comment 1 Jason Shepherd 2019-11-04 01:20:10 UTC

Acknowledgments:

Name: Jeremy Choi (Red Hat)

Comment 2 jschorr 2019-11-04 05:24:40 UTC

This was addressed in a change made in July, where tokens are now rotated on every user login. We attempted to refresh on every request, but as we can support multiple concurrent requests on our API, the state management of doing so started to become unwieldily and unreliable. Further, with the introduction of default Same-Site cookies, this has become even less of a concern.

Comment 6 Product Security DevOps Team 2019-11-11 06:51:56 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3864

Note You need to log in before you can comment on or make changes to this bug.