Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-14313 (GCVE-0-2020-14313)
Vulnerability from cvelistv5
Published
2020-08-11 13:42
Modified
2024-08-04 12:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Exposure of Sensitive Information to an Unauthorized Actor
Summary
An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1853026 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1853026 | Issue Tracking, Vendor Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:39:36.208Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Quay",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Quay versions before 3.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-08-11T13:42:26",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-14313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Quay",
"version": {
"version_data": [
{
"version_value": "Quay versions before 3.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2020-14313",
"datePublished": "2020-08-11T13:42:26",
"dateReserved": "2020-06-17T00:00:00",
"dateUpdated": "2024-08-04T12:39:36.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2020-14313\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2020-08-11T14:15:11.553\",\"lastModified\":\"2024-11-21T05:02:59.207\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Red Hat Quay en versiones anteriores a 3.3.1. Este fallo permite a un atacante que puede crear un desencadenamiento de compilaci\u00f3n en un repositorio, divulgar los nombres de cuentas de robot y la existencia de repositorios privados dentro de cualquier espacio de nombres\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:quay:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.3.1\",\"matchCriteriaId\":\"56E9B3DE-B7A8-4DFD-8855-50D29611B554\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1853026\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1853026\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
}
}
fkie_cve-2020-14313
Vulnerability from fkie_nvd
Published
2020-08-11 14:15
Modified
2024-11-21 05:02
Severity ?
Summary
An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1853026 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1853026 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:quay:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56E9B3DE-B7A8-4DFD-8855-50D29611B554",
"versionEndExcluding": "3.3.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Red Hat Quay en versiones anteriores a 3.3.1. Este fallo permite a un atacante que puede crear un desencadenamiento de compilaci\u00f3n en un repositorio, divulgar los nombres de cuentas de robot y la existencia de repositorios privados dentro de cualquier espacio de nombres"
}
],
"id": "CVE-2020-14313",
"lastModified": "2024-11-21T05:02:59.207",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-08-11T14:15:11.553",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
RHSA-2020:3525
Vulnerability from csaf_redhat
Published
2020-08-19 19:50
Modified
2025-10-10 01:34
Summary
Red Hat Security Advisory: Red Hat Quay v3.3.1 security update
Notes
Topic
An update is now available for Red Hat Quay 3.3
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Quay 3.3.1 release, including:
Security Fix(es):
* quay: build triggers can disclose robot account names and existence of private repos within namespaces (CVE-2020-14313)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Quay 3.3.1 release (BZ#1844197)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Quay 3.3\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Quay 3.3.1 release, including:\n\nSecurity Fix(es):\n\n* quay: build triggers can disclose robot account names and existence of private repos within namespaces (CVE-2020-14313)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Quay 3.3.1 release (BZ#1844197)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3525",
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1844197",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1844197"
},
{
"category": "external",
"summary": "1853026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3525.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Quay v3.3.1 security update",
"tracking": {
"current_release_date": "2025-10-10T01:34:23+00:00",
"generator": {
"date": "2025-10-10T01:34:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2020:3525",
"initial_release_date": "2020-08-19T19:50:53+00:00",
"revision_history": [
{
"date": "2020-08-19T19:50:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-08-19T19:50:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-10T01:34:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Quay v3",
"product": {
"name": "Quay v3",
"product_id": "8Base-Quay-3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quay:3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Quay"
},
{
"branches": [
{
"category": "product_version",
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product": {
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product_id": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-openshift-bridge-rhel8-operator\u0026tag=v3.3.1-4"
}
}
},
{
"category": "product_version",
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product": {
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product_id": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-openshift-bridge-rhel8-operator-metadata\u0026tag=v3.3.1-6"
}
}
},
{
"category": "product_version",
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product": {
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product_id": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-rhel8-operator\u0026tag=v3.3.1-3"
}
}
},
{
"category": "product_version",
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product": {
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product_id": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-rhel8-operator-metadata\u0026tag=v3.3.1-7"
}
}
},
{
"category": "product_version",
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product": {
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product_id": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-bundle\u0026tag=v3.3.1-16"
}
}
},
{
"category": "product_version",
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product": {
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product_id": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-rhel8-operator\u0026tag=v3.3.1-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64"
},
"product_reference": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64"
},
"product_reference": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64"
},
"product_reference": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64"
},
"product_reference": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64"
},
"product_reference": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
},
"product_reference": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"relates_to_product_reference": "8Base-Quay-3"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Joey Schorr"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-14313",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2020-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853026"
}
],
"notes": [
{
"category": "description",
"text": "An information disclosure vulnerability was found in Red Hat Quay. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quay: build triggers can disclose robot account names and existence of private repos within namespaces",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14313"
},
{
"category": "external",
"summary": "RHBZ#1853026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14313",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14313"
},
{
"category": "external",
"summary": "https://access.redhat.com/errata/RHSA-2020:3525",
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
}
],
"release_date": "2020-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-19T19:50:53+00:00",
"details": "Please download the release images via:\n\nquay.io/redhat/quay:v3.3.1\nquay.io/redhat/clair-jwt:v3.3.1\nquay.io/redhat/quay-builder:v3.3.1\nquay.io/redhat/clair:v3.3.1",
"product_ids": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "quay: build triggers can disclose robot account names and existence of private repos within namespaces"
}
]
}
rhsa-2020_3525
Vulnerability from csaf_redhat
Published
2020-08-19 19:50
Modified
2024-11-13 22:15
Summary
Red Hat Security Advisory: Red Hat Quay v3.3.1 security update
Notes
Topic
An update is now available for Red Hat Quay 3.3
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Quay 3.3.1 release, including:
Security Fix(es):
* quay: build triggers can disclose robot account names and existence of private repos within namespaces (CVE-2020-14313)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Quay 3.3.1 release (BZ#1844197)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Quay 3.3\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Quay 3.3.1 release, including:\n\nSecurity Fix(es):\n\n* quay: build triggers can disclose robot account names and existence of private repos within namespaces (CVE-2020-14313)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Quay 3.3.1 release (BZ#1844197)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3525",
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1844197",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1844197"
},
{
"category": "external",
"summary": "1853026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3525.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Quay v3.3.1 security update",
"tracking": {
"current_release_date": "2024-11-13T22:15:22+00:00",
"generator": {
"date": "2024-11-13T22:15:22+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2020:3525",
"initial_release_date": "2020-08-19T19:50:53+00:00",
"revision_history": [
{
"date": "2020-08-19T19:50:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-08-19T19:50:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-13T22:15:22+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Quay v3",
"product": {
"name": "Quay v3",
"product_id": "8Base-Quay-3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quay:3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Quay"
},
{
"branches": [
{
"category": "product_version",
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product": {
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product_id": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-openshift-bridge-rhel8-operator\u0026tag=v3.3.1-4"
}
}
},
{
"category": "product_version",
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product": {
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product_id": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-openshift-bridge-rhel8-operator-metadata\u0026tag=v3.3.1-6"
}
}
},
{
"category": "product_version",
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product": {
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product_id": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-rhel8-operator\u0026tag=v3.3.1-3"
}
}
},
{
"category": "product_version",
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product": {
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product_id": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-rhel8-operator-metadata\u0026tag=v3.3.1-7"
}
}
},
{
"category": "product_version",
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product": {
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product_id": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-bundle\u0026tag=v3.3.1-16"
}
}
},
{
"category": "product_version",
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product": {
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product_id": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-rhel8-operator\u0026tag=v3.3.1-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64"
},
"product_reference": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64"
},
"product_reference": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64"
},
"product_reference": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64"
},
"product_reference": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64"
},
"product_reference": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
},
"product_reference": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"relates_to_product_reference": "8Base-Quay-3"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Joey Schorr"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-14313",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2020-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853026"
}
],
"notes": [
{
"category": "description",
"text": "An information disclosure vulnerability was found in Red Hat Quay. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quay: build triggers can disclose robot account names and existence of private repos within namespaces",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14313"
},
{
"category": "external",
"summary": "RHBZ#1853026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14313",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14313"
},
{
"category": "external",
"summary": "https://access.redhat.com/errata/RHSA-2020:3525",
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
}
],
"release_date": "2020-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-19T19:50:53+00:00",
"details": "Please download the release images via:\n\nquay.io/redhat/quay:v3.3.1\nquay.io/redhat/clair-jwt:v3.3.1\nquay.io/redhat/quay-builder:v3.3.1\nquay.io/redhat/clair:v3.3.1",
"product_ids": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "quay: build triggers can disclose robot account names and existence of private repos within namespaces"
}
]
}
rhsa-2020:3525
Vulnerability from csaf_redhat
Published
2020-08-19 19:50
Modified
2025-10-10 01:34
Summary
Red Hat Security Advisory: Red Hat Quay v3.3.1 security update
Notes
Topic
An update is now available for Red Hat Quay 3.3
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Quay 3.3.1 release, including:
Security Fix(es):
* quay: build triggers can disclose robot account names and existence of private repos within namespaces (CVE-2020-14313)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Quay 3.3.1 release (BZ#1844197)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat Quay 3.3\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Quay 3.3.1 release, including:\n\nSecurity Fix(es):\n\n* quay: build triggers can disclose robot account names and existence of private repos within namespaces (CVE-2020-14313)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Quay 3.3.1 release (BZ#1844197)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3525",
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1844197",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1844197"
},
{
"category": "external",
"summary": "1853026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3525.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Quay v3.3.1 security update",
"tracking": {
"current_release_date": "2025-10-10T01:34:23+00:00",
"generator": {
"date": "2025-10-10T01:34:23+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.9"
}
},
"id": "RHSA-2020:3525",
"initial_release_date": "2020-08-19T19:50:53+00:00",
"revision_history": [
{
"date": "2020-08-19T19:50:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-08-19T19:50:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-10-10T01:34:23+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Quay v3",
"product": {
"name": "Quay v3",
"product_id": "8Base-Quay-3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:quay:3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat Quay"
},
{
"branches": [
{
"category": "product_version",
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product": {
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product_id": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-openshift-bridge-rhel8-operator\u0026tag=v3.3.1-4"
}
}
},
{
"category": "product_version",
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product": {
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product_id": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-openshift-bridge-rhel8-operator-metadata\u0026tag=v3.3.1-6"
}
}
},
{
"category": "product_version",
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product": {
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product_id": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-rhel8-operator\u0026tag=v3.3.1-3"
}
}
},
{
"category": "product_version",
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product": {
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product_id": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-container-security-rhel8-operator-metadata\u0026tag=v3.3.1-7"
}
}
},
{
"category": "product_version",
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product": {
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product_id": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-operator-bundle\u0026tag=v3.3.1-16"
}
}
},
{
"category": "product_version",
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product": {
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product_id": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1?arch=amd64\u0026repository_url=registry.redhat.io/quay/quay-rhel8-operator\u0026tag=v3.3.1-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64"
},
"product_reference": "quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64"
},
"product_reference": "quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64"
},
"product_reference": "quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64"
},
"product_reference": "quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64"
},
"product_reference": "quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"relates_to_product_reference": "8Base-Quay-3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64 as a component of Quay v3",
"product_id": "8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
},
"product_reference": "quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64",
"relates_to_product_reference": "8Base-Quay-3"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Joey Schorr"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2020-14313",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2020-06-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1853026"
}
],
"notes": [
{
"category": "description",
"text": "An information disclosure vulnerability was found in Red Hat Quay. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "quay: build triggers can disclose robot account names and existence of private repos within namespaces",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-14313"
},
{
"category": "external",
"summary": "RHBZ#1853026",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-14313",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14313"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-14313",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14313"
},
{
"category": "external",
"summary": "https://access.redhat.com/errata/RHSA-2020:3525",
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
}
],
"release_date": "2020-07-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-08-19T19:50:53+00:00",
"details": "Please download the release images via:\n\nquay.io/redhat/quay:v3.3.1\nquay.io/redhat/clair-jwt:v3.3.1\nquay.io/redhat/quay-builder:v3.3.1\nquay.io/redhat/clair:v3.3.1",
"product_ids": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3525"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-Quay-3:quay/quay-container-security-rhel8-operator-metadata@sha256:e6de465f8eb15f4e27775cf2cf943c2264adae799df254a15f81c89dd5791efc_amd64",
"8Base-Quay-3:quay/quay-container-security-rhel8-operator@sha256:f6c5f198dfe86402d65659eb83517aedd6de5ce0eb1e93689dd5e5ab47010703_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator-metadata@sha256:6dd16c3286714b577b1ab89a243514367e5e50fea74bc7eb02894ed3113f198b_amd64",
"8Base-Quay-3:quay/quay-openshift-bridge-rhel8-operator@sha256:c3accac2b227aa200d3a3774ce787eaf92783725e0bd8443b6f3b02787be9e6d_amd64",
"8Base-Quay-3:quay/quay-operator-bundle@sha256:f44ec43ace96887f007ef02b0f4234124df9c322c9349bce6f079667af2abc7a_amd64",
"8Base-Quay-3:quay/quay-rhel8-operator@sha256:1c575fd5e86c57c9ced3826b2f04f0ab69de226cff37b9cda6bc7962c928fef1_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "quay: build triggers can disclose robot account names and existence of private repos within namespaces"
}
]
}
ghsa-qp9w-fqwx-r4j3
Vulnerability from github
Published
2022-05-24 17:25
Modified
2022-05-24 17:25
VLAI Severity ?
Details
An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.
{
"affected": [],
"aliases": [
"CVE-2020-14313"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-08-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.",
"id": "GHSA-qp9w-fqwx-r4j3",
"modified": "2022-05-24T17:25:18Z",
"published": "2022-05-24T17:25:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14313"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
}
],
"schema_version": "1.4.0",
"severity": []
}
cnvd-2021-17780
Vulnerability from cnvd
Title: Red Hat Quay信息泄露漏洞
Description:
Red Hat Quay是美国红帽(Red Hat)公司的一款分布式容器镜像仓库,它主要用于构建、分布和部署容器。
Red Hat Quay中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。
Severity: 中
Formal description:
目前厂商暂未发布修复措施解决此安全问题,建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法: https://www.redhat.com/
Reference: https://access.redhat.com/security/cve/cve-2020-14313
Impacted products
| Name | Red Hat Quay <3.3.1 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2020-14313"
}
},
"description": "Red Hat Quay\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u6b3e\u5206\u5e03\u5f0f\u5bb9\u5668\u955c\u50cf\u4ed3\u5e93\uff0c\u5b83\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u3001\u5206\u5e03\u548c\u90e8\u7f72\u5bb9\u5668\u3002\n\nRed Hat Quay\u4e2d\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5728\u8fd0\u884c\u8fc7\u7a0b\u4e2d\u5b58\u5728\u914d\u7f6e\u7b49\u9519\u8bef\u3002\u672a\u6388\u6743\u7684\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u53d7\u5f71\u54cd\u7ec4\u4ef6\u654f\u611f\u4fe1\u606f\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://www.redhat.com/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-17780",
"openTime": "2021-03-16",
"products": {
"product": "Red Hat Quay \u003c3.3.1"
},
"referenceLink": "https://access.redhat.com/security/cve/cve-2020-14313",
"serverity": "\u4e2d",
"submitTime": "2020-07-07",
"title": "Red Hat Quay\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}
gsd-2020-14313
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-14313",
"description": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.",
"id": "GSD-2020-14313",
"references": [
"https://access.redhat.com/errata/RHSA-2020:3525"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2020-14313"
],
"details": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.",
"id": "GSD-2020-14313",
"modified": "2023-12-13T01:22:00.209642Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-14313",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Quay",
"version": {
"version_data": [
{
"version_value": "Quay versions before 3.3.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:quay:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.3.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2020-14313"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2021-07-21T11:39Z",
"publishedDate": "2020-08-11T14:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…