CVE-2023-4959

A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).

Published: Sep 15, 2023
Updated: Sep 21, 2023
CVE: CVE-2023-4959
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CWEs:

CWE-352

Affected Software
References

Software	From	Fixed in
redhat / quay	3.0.0	3.0.0.x

https://access.redhat.com/security/cve/CVE-2023-4959
https://bugzilla.redhat.com/show_bug.cgi?id=2238908

Vulnerability Database

289,598

CVE-2023-4959