{"containers": {"cna": {"affected": [{"product": "Quay", "vendor": "n/a", "versions": [{"status": "affected", "version": "Quay versions before 3.3.1"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."}], "problemTypes": [{"descriptions": [{"description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-11T13:42:26", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14313", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Quay", "version": {"version_data": [{"version_value": "Quay versions before 3.3.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.208Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14313", "datePublished": "2020-08-11T13:42:26", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.208Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:quay:*:*:*:*:*:*:*:*", "matchCriteriaId": "56E9B3DE-B7A8-4DFD-8855-50D29611B554", "versionEndExcluding": "3.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Red Hat Quay en versiones anteriores a 3.3.1. Este fallo permite a un atacante que puede crear un desencadenamiento de compilaci\u00f3n en un repositorio, divulgar los nombres de cuentas de robot y la existencia de repositorios privados dentro de cualquier espacio de nombres"}], "id": "CVE-2020-14313", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-11T14:15:11.553", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Joey Schorr (Red Hat).", "affected_release": [{"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-bridge-operator-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-bridge-operator-metadata-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-cso-operator-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-cso-operator-metadata-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-operator-bundle-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-setup-operator-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}], "bugzilla": {"description": "quay: build triggers can disclose robot account names and existence of private repos within namespaces", "id": "1853026", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.", "An information disclosure vulnerability was found in Red Hat Quay. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."], "name": "CVE-2020-14313", "public_date": "2020-07-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14313\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14313\nhttps://access.redhat.com/errata/RHSA-2020:3525"], "threat_severity": "Moderate", "upstream_fix": "quay 3.3.1"}