2274400 – (CVE-2024-3622) CVE-2024-3622 mirror-registry: Plain-text default CSRF secret key

Bug 2274400 (CVE-2024-3622) - CVE-2024-3622 mirror-registry: Plain-text default CSRF secret key

Summary: CVE-2024-3622 mirror-registry: Plain-text default CSRF secret key

Keywords:
Status:	NEW
Alias:	CVE-2024-3622
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2274398
TreeView+	depends on / blocked

Reported:	2024-04-10 20:30 UTC by Marco Benatto
Modified:	2024-04-16 20:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-04-10 20:30:12 UTC

The default CSRF SECRET_KEY in mirror-registry is stored in plain-text on the jinja's config.yaml file, leaving the possibility of every mirror-registry installation which hasn't changed it to have the same SECRET_KEY. The CSRF SECRET_KEY is used to encrypt the session cookie and the CSRF used to interpret the user sessions. A successful attack may lead to account takeover in the quay instance.

Note You need to log in before you can comment on or make changes to this bug.