OpenCVE

An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Quay

Configuration 1 [-]

cpe:2.3:a:redhat:quay:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Quay 3
quay-bridge-operator-container	cpe:/a:redhat:quay:3::el8	RHSA-2020:3525	2020-08-19T00:00:00Z
quay-bridge-operator-metadata-container	cpe:/a:redhat:quay:3::el8	RHSA-2020:3525	2020-08-19T00:00:00Z
quay-cso-operator-container	cpe:/a:redhat:quay:3::el8	RHSA-2020:3525	2020-08-19T00:00:00Z
quay-cso-operator-metadata-container	cpe:/a:redhat:quay:3::el8	RHSA-2020:3525	2020-08-19T00:00:00Z
quay-operator-bundle-container	cpe:/a:redhat:quay:3::el8	RHSA-2020:3525	2020-08-19T00:00:00Z
quay-setup-operator-container	cpe:/a:redhat:quay:3::el8	RHSA-2020:3525	2020-08-19T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2020:3525
https://bugzilla.redhat.com/show_bug.cgi?id=1853026
https://nvd.nist.gov/vuln/detail/CVE-2020-14313
https://www.cve.org/CVERecord?id=CVE-2020-14313

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-08-11T13:42:26

Updated: 2024-08-04T12:39:36.208Z

Reserved: 2020-06-17T00:00:00

Link: CVE-2020-14313

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-08-11T14:15:11.553

Modified: 2024-11-21T05:02:59.207

Link: CVE-2020-14313

Redhat

Severity : Moderate

Publid Date: 2020-07-06T00:00:00Z

Links: CVE-2020-14313 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Quay", "vendor": "n/a", "versions": [{"status": "affected", "version": "Quay versions before 3.3.1"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."}], "problemTypes": [{"descriptions": [{"description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-08-11T13:42:26", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14313", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Quay", "version": {"version_data": [{"version_value": "Quay versions before 3.3.1"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Exposure of Sensitive Information to an Unauthorized Actor"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.208Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14313", "datePublished": "2020-08-11T13:42:26", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.208Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:quay:*:*:*:*:*:*:*:*", "matchCriteriaId": "56E9B3DE-B7A8-4DFD-8855-50D29611B554", "versionEndExcluding": "3.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n en Red Hat Quay en versiones anteriores a 3.3.1. Este fallo permite a un atacante que puede crear un desencadenamiento de compilaci\u00f3n en un repositorio, divulgar los nombres de cuentas de robot y la existencia de repositorios privados dentro de cualquier espacio de nombres"}], "id": "CVE-2020-14313", "lastModified": "2024-11-21T05:02:59.207", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-11T14:15:11.553", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Joey Schorr (Red Hat).", "affected_release": [{"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-bridge-operator-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-bridge-operator-metadata-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-cso-operator-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-cso-operator-metadata-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-operator-bundle-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}, {"advisory": "RHSA-2020:3525", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay-setup-operator-container", "product_name": "Red Hat Quay 3", "release_date": "2020-08-19T00:00:00Z"}], "bugzilla": {"description": "quay: build triggers can disclose robot account names and existence of private repos within namespaces", "id": "1853026", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1853026"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["An information disclosure vulnerability was found in Red Hat Quay in versions before 3.3.1. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace.", "An information disclosure vulnerability was found in Red Hat Quay. This flaw allows an attacker who can create a build trigger in a repository, to disclose the names of robot accounts and the existence of private repositories within any namespace."], "name": "CVE-2020-14313", "public_date": "2020-07-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14313\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14313\nhttps://access.redhat.com/errata/RHSA-2020:3525"], "threat_severity": "Moderate", "upstream_fix": "quay 3.3.1"}