CVE-2019-3867 - OpenCVE

A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue.

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Quay

Configuration 1 [-]

OR	cpe:2.3:a:redhat:quay:2.0.0:::::::*
	cpe:2.3:a:redhat:quay:3.0.0:::::::*

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1772704	Issue Tracking Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2021-03-18T18:04:18

Updated: 2021-03-18T18:04:18

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3867

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-18T19:15:13.137

Modified: 2021-03-25T20:08:20.160

Link: CVE-2019-3867

JSON object: View

Redhat Information

No data.

CWE

CWE-613

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:quay:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6F94892C-C23C-4703-B9D0-D9DC3038C7E6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the Quay web application. Sessions in the Quay web application never expire. An attacker, able to gain access to a session, could use it to control or delete a user's container repository. Red Hat Quay 2 and 3 are vulnerable to this issue."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en la aplicaci\u00f3n web Quay. Las sesiones en la aplicaci\u00f3n web de Quay nunca expiran. Un atacante, capaz de conseguir acceso a una sesi\u00f3n, podr\u00eda usarla para controlar o eliminar el dep\u00f3sito de contenedores de un usuario. Red Hat Quay versiones 2 y 3 son vulnerables a este problema"}], "id": "CVE-2019-3867", "lastModified": "2021-03-25T20:08:20.160", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-18T19:15:13.137", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772704"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "secalert@redhat.com", "type": "Primary"}]}