Bug 1768297 (CVE-2019-3865) - CVE-2019-3865 quay: Stored XSS in super user function
Summary: CVE-2019-3865 quay: Stored XSS in super user function
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-3865
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1768294
TreeView+ depends on / blocked
 
Reported: 2019-11-04 01:29 UTC by Jason Shepherd
Modified: 2019-11-11 23:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A stored XSS vulnerability has been found in the super user function of quay. Attackers are able to use the name field of service key to inject scripts and make it run when admin users try to change the name.
Clone Of:
Environment:
Last Closed: 2019-11-11 06:52:03 UTC


Attachments (Terms of Use)

Description Jason Shepherd 2019-11-04 01:29:19 UTC
A stored XSS vulnerability has been found in the super user function. Attackers are able to use the name field of service key to inject scripts and make it run when admin users try to change the name.

Comment 1 Jason Shepherd 2019-11-04 01:29:23 UTC
Acknowledgments:

Name: Jeremy Choi (Red Hat)

Comment 2 jschorr 2019-11-04 05:25:30 UTC
This bug was addressed with both closing of the client side XSS issue AND server side validation of the service key name in a change that was released this past summer

Comment 3 Product Security DevOps Team 2019-11-11 06:52:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3865


Note You need to log in before you can comment on or make changes to this bug.