First published: Thu Sep 14 2023(Updated: )
A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Quay | =3.0.0 | |
=3.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-4959 is a vulnerability in Quay that allows Cross-Site Request Forgery (CSRF) attacks.
CVE-2023-4959 has a severity rating of 6.5, which is considered medium.
CVE-2023-4959 allows an attacker to coerce a user into performing unwanted actions on the Quay instance by exploiting the vulnerability in the config-editor page.
Quay version 3.0.0 is affected by CVE-2023-4959.
To fix CVE-2023-4959, it is recommended to update Quay to a version that is not affected, if available. Alternatively, you can apply any patches or security updates provided by the vendor.