{"containers": {"cna": {"affected": [{"product": "quay", "vendor": "n/a", "versions": [{"status": "affected", "version": "quay 3.3.2"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. This flaw allows an attacker to trick a user into performing a malicious action to impersonate the target user. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-27T13:50:39", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905784"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-27832", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "quay", "version": {"version_data": [{"version_value": "quay 3.3.2"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. This flaw allows an attacker to trick a user into performing a malicious action to impersonate the target user. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-79"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1905784", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905784"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T16:25:43.224Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905784"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-27832", "datePublished": "2021-05-27T13:50:39", "dateReserved": "2020-10-27T00:00:00", "dateUpdated": "2024-08-04T16:25:43.224Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:quay:*:*:*:*:*:*:*:*", "matchCriteriaId": "57EA0E6C-9F68-42BA-B4DE-76C83879CB22", "versionEndExcluding": "3.3.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. This flaw allows an attacker to trick a user into performing a malicious action to impersonate the target user. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Red Hat Quay, donde presenta una vulnerabilidad de tipo Cross-site Scripting (XSS) persistente cuando se muestra la notificaci\u00f3n de un repositorio. Este fallo permite a un atacante enga\u00f1ar a un usuario para llevar a cabo una acci\u00f3n maliciosa para suplantar al usuario objetivo. La mayor amenaza de esta vulnerabilidad es la confidencialidad, la integridad y la disponibilidad del sistema"}], "id": "CVE-2020-27832", "lastModified": "2021-06-08T02:12:25.117", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-27T14:15:07.357", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905784"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Chen Cohen (eBay) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2021:0050", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-container-security-rhel8-operator:v3.3.3-2", "product_name": "Red Hat Quay 3", "release_date": "2021-01-11T00:00:00Z"}, {"advisory": "RHSA-2021:0050", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-container-security-rhel8-operator-metadata:v3.3.3-4", "product_name": "Red Hat Quay 3", "release_date": "2021-01-11T00:00:00Z"}, {"advisory": "RHSA-2021:0050", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-openshift-bridge-rhel8-operator:v3.3.3-1", "product_name": "Red Hat Quay 3", "release_date": "2021-01-11T00:00:00Z"}, {"advisory": "RHSA-2021:0050", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-openshift-bridge-rhel8-operator-metadata:v3.3.2-2", "product_name": "Red Hat Quay 3", "release_date": "2021-01-11T00:00:00Z"}, {"advisory": "RHSA-2021:0050", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-operator-bundle:v3.3.3-3", "product_name": "Red Hat Quay 3", "release_date": "2021-01-11T00:00:00Z"}, {"advisory": "RHSA-2021:0050", "cpe": "cpe:/a:redhat:quay:3::el8", "package": "quay/quay-rhel8-operator:v3.3.3-3", "product_name": "Red Hat Quay 3", "release_date": "2021-01-11T00:00:00Z"}], "bugzilla": {"description": "quay: persistent XSS in repository notification display", "id": "1905784", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1905784"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-79", "details": ["A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. This flaw allows an attacker to trick a user into performing a malicious action to impersonate the target user. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.", "A flaw was found in Red Hat Quay, where it has a persistent Cross-site Scripting (XSS) vulnerability when displaying a repository's notification. This flaw allows an attacker to trick a user into performing a malicious action to impersonate the target user. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2020-27832", "public_date": "2020-12-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-27832\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-27832"], "threat_severity": "Moderate", "upstream_fix": "quay 3.3.2"}