Red Hat Security Advisory 2021-0050-01 - This release of Red Hat Quay v3.3.3 includes: Security Update: quay: persistent XSS in repository notification display quay: email notifications authorization bypass. Issues addressed include bypass and cross site scripting vulnerabilities.
b7bbf0e20c56feaf00d18ca63528966b622b1d3e566908135253edf8b2b2de04-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Quay v3.3.3 bug fix and security update
Advisory ID: RHSA-2021:0050-01
Product: Red Hat Quay
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0050
Issue date: 2021-01-11
CVE Names: CVE-2018-20843 CVE-2019-5018 CVE-2019-8625
CVE-2019-8710 CVE-2019-8720 CVE-2019-8743
CVE-2019-8764 CVE-2019-8766 CVE-2019-8769
CVE-2019-8771 CVE-2019-8782 CVE-2019-8783
CVE-2019-8808 CVE-2019-8811 CVE-2019-8812
CVE-2019-8813 CVE-2019-8814 CVE-2019-8815
CVE-2019-8816 CVE-2019-8819 CVE-2019-8820
CVE-2019-8823 CVE-2019-8835 CVE-2019-8844
CVE-2019-8846 CVE-2019-13050 CVE-2019-13627
CVE-2019-14889 CVE-2019-15165 CVE-2019-15903
CVE-2019-16168 CVE-2019-16935 CVE-2019-19221
CVE-2019-19906 CVE-2019-19956 CVE-2019-20218
CVE-2019-20387 CVE-2019-20388 CVE-2019-20454
CVE-2019-20807 CVE-2019-20907 CVE-2019-20916
CVE-2020-1730 CVE-2020-1751 CVE-2020-1752
CVE-2020-1971 CVE-2020-3862 CVE-2020-3864
CVE-2020-3865 CVE-2020-3867 CVE-2020-3868
CVE-2020-3885 CVE-2020-3894 CVE-2020-3895
CVE-2020-3897 CVE-2020-3899 CVE-2020-3900
CVE-2020-3901 CVE-2020-3902 CVE-2020-6405
CVE-2020-7595 CVE-2020-8492 CVE-2020-9327
CVE-2020-9802 CVE-2020-9803 CVE-2020-9805
CVE-2020-9806 CVE-2020-9807 CVE-2020-9843
CVE-2020-9850 CVE-2020-9862 CVE-2020-9893
CVE-2020-9894 CVE-2020-9895 CVE-2020-9915
CVE-2020-9925 CVE-2020-10018 CVE-2020-10029
CVE-2020-11793 CVE-2020-13630 CVE-2020-13631
CVE-2020-13632 CVE-2020-14382 CVE-2020-14391
CVE-2020-14422 CVE-2020-15503 CVE-2020-24659
CVE-2020-27831 CVE-2020-27832
=====================================================================
1. Summary:
Red Hat Quay v3.3.3 is now available with bug fixes and security updates.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE
link(s) in the References section.
Note: Red Hat Quay v3.3.2 was not released publicly.
2. Description:
This release of Red Hat Quay v3.3.3 includes:
Security Update(s):
* quay: persistent XSS in repository notification display (CVE-2020-27832)
* quay: email notifications authorization bypass (CVE-2020-27831)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* NVD feed fixed in Clair-v2 (clair-jwt image)
3. Solution:
Download the release images via:
quay.io/redhat/quay:v3.3.3
quay.io/redhat/clair-jwt:v3.3.3
quay.io/redhat/quay-builder:v3.3.3
quay.io/redhat/clair:v3.3.3
4. Bugs fixed (https://bugzilla.redhat.com/):
1905758 - CVE-2020-27831 quay: email notifications authorization bypass
1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display
5. JIRA issues fixed (https://issues.jboss.org/):
PROJQUAY-1124 - NVD feed is broken for latest Clair v2 version
6. References:
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15165
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20807
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2019-20916
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8492
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-9802
https://access.redhat.com/security/cve/CVE-2020-9803
https://access.redhat.com/security/cve/CVE-2020-9805
https://access.redhat.com/security/cve/CVE-2020-9806
https://access.redhat.com/security/cve/CVE-2020-9807
https://access.redhat.com/security/cve/CVE-2020-9843
https://access.redhat.com/security/cve/CVE-2020-9850
https://access.redhat.com/security/cve/CVE-2020-9862
https://access.redhat.com/security/cve/CVE-2020-9893
https://access.redhat.com/security/cve/CVE-2020-9894
https://access.redhat.com/security/cve/CVE-2020-9895
https://access.redhat.com/security/cve/CVE-2020-9915
https://access.redhat.com/security/cve/CVE-2020-9925
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-14382
https://access.redhat.com/security/cve/CVE-2020-14391
https://access.redhat.com/security/cve/CVE-2020-14422
https://access.redhat.com/security/cve/CVE-2020-15503
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-27831
https://access.redhat.com/security/cve/CVE-2020-27832
https://access.redhat.com/security/updates/classification/#moderate
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX/v/8tzjgjWX9erEAQjpBA//cBROsr6OlFT9Ug7n2kXtMABJl3pOA2Tb
b18R3acHG6GWpZw/+rrJlmkP/M39CaaZLIJuoI5R2vAx1OvjLFBrgER2tELKP9WW
c1c9Zyp1JOtaOaQIvGbO9D5PnyT8V/VD7SFj8/vCl4zjR+wxAFxfmaWlM3kiXb5w
rKQb1kBakB+OwGCDwi28J8ogS4jCCWROPndLdyRCfgtKFg0GWJ58ZmkC2v2tu/S2
8fejJZ7QcELjZiYcAjI/7ISWdqBZ9+sjHAQMe8GqtEwBs0jAEOAS43yrkmrOXZZ8
kv2jjdjFomzsHe3HnHOGRjLvAhtLIhZOGLH7HdC2EIClYlCr4ET+rlSfcDJmhefY
h+Cz6WOqURcM7vNBwz1cVl+dFjsyC/mV1+yDNDYr6giw7apOcu03CZzjVZEyT1wW
zw9Lnjafis4puyZjMTN5hi3guAP7hinpdBvnsCceGYbO37wbZnIzmbPQ27epAcUM
HamtyjBSsiowZbcvpAlDH733UjRFXEbbg6KcryDImR2fZIICHBbzYNmrC1vTCyCR
MXGTraJQ4YrHaFn9WQqd4gSjvTld7GEWLQ3l8xbUrqKa2HOy3Twpu5zFB1BfiJh0
/mpnu+K+QiIIJHHq299y8Syq3G33iFtDSfqPWG8rAPpqFmhl4hdTpPpVDnWPVM9z
qTma8bI94e4=
=rKFh
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed