2274407 – (CVE-2024-3624) CVE-2024-3624 mirror-registry: Database user and password stored in plain-text

Bug 2274407 (CVE-2024-3624) - CVE-2024-3624 mirror-registry: Database user and password stored in plain-text

Summary: CVE-2024-3624 mirror-registry: Database user and password stored in plain-text

Keywords:
Status:	NEW
Alias:	CVE-2024-3624
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2274398
TreeView+	depends on / blocked

Reported:	2024-04-10 20:51 UTC by Marco Benatto
Modified:	2024-04-16 20:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in how Quay's database is stored in plain-text in mirror-registry on the jinja's config.yaml file. This flaw allows a malicious actor with access to this file to gain access to Quay's database.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Marco Benatto 2024-04-10 20:51:05 UTC

The Quay's database is stored in plain-text in mirror-registry on the jinja's config.yaml file, leaving the possibility of an malicious actor with access to this file to gain access to Quay's database.

Note You need to log in before you can comment on or make changes to this bug.