2216924 – (CVE-2023-3384) CVE-2023-3384 quay: stored cross site scripting

Bug 2216924 (CVE-2023-3384) - CVE-2023-3384 quay: stored cross site scripting

Summary: CVE-2023-3384 quay: stored cross site scripting

Keywords:
Status:	NEW
Alias:	CVE-2023-3384
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2216923
TreeView+	depends on / blocked

Reported:	2023-06-23 09:28 UTC by Avinash Hanwate
Modified:	2023-07-07 08:29 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	---
Doc Text:	A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS).
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-06-23 09:28:04 UTC

The vulnerability exists in the bootbox component of the container image labels within Quay. Specifically, the bootbox title dialog is not properly
sanitized.

While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is
not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry, containing a script that can be executed via XSS.

Note You need to log in before you can comment on or make changes to this bug.