Sessions in the Quay web application never expire. An attacker able to gain access to a session could use it to control, or delete a users container repository.
Acknowledgments: Name: Jeremy Choi (Red Hat)
Mitigation: Toggle 'FEATURE_PERMANENT_SESSIONS' to 'False' in quay.conf.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-3867