CVE-2024-5891

A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited to authentication and not authorization. However, in configurations where endpoints rely only on authentication, a user may authenticate to applications they otherwise have no access to.
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*

History

21 Nov 2024, 09:48

Type Values Removed Values Added
References () https://access.redhat.com/security/cve/CVE-2024-5891 - Broken Link () https://access.redhat.com/security/cve/CVE-2024-5891 - Broken Link
References () https://bugzilla.redhat.com/show_bug.cgi?id=2283879 - Issue Tracking, Permissions Required () https://bugzilla.redhat.com/show_bug.cgi?id=2283879 - Issue Tracking, Permissions Required

04 Oct 2024, 12:32

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5
v2 : unknown
v3 : 4.2

26 Sep 2024, 14:45

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 4.2
v2 : unknown
v3 : 7.5
CWE NVD-CWE-Other
CPE cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
First Time Redhat
Redhat quay
References () https://access.redhat.com/security/cve/CVE-2024-5891 - () https://access.redhat.com/security/cve/CVE-2024-5891 - Broken Link
References () https://bugzilla.redhat.com/show_bug.cgi?id=2283879 - () https://bugzilla.redhat.com/show_bug.cgi?id=2283879 - Issue Tracking, Permissions Required

13 Jun 2024, 18:36

Type Values Removed Values Added
Summary
  • (es) Se encontró una vulnerabilidad en Quay. Si un atacante puede obtener el ID de cliente de una aplicación, puede utilizar un token de OAuth para autenticarse a pesar de no tener acceso a la organización desde la que se creó la aplicación. Este problema se limita a la autenticación y no a la autorización. Sin embargo, en configuraciones donde los endpoints dependen únicamente de la autenticación, un usuario puede autenticarse en aplicaciones a las que de otro modo no tendría acceso.

12 Jun 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-06-12 14:15

Updated : 2024-11-21 09:48


NVD link : CVE-2024-5891

Mitre link : CVE-2024-5891

CVE.ORG link : CVE-2024-5891


JSON object : View

Products Affected

redhat

  • quay
CWE
CWE-1390

Weak Authentication

NVD-CWE-Other