CVE-2024-5891
Last modified
CVE-2024-5891 is a medium-severity vulnerability rated 4.2/10 on the CVSS scale. A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. EPSS estimates a 0.23% chance of exploitation in the next 30 days.
Description
A vulnerability was found in Quay. If an attacker can obtain the client ID for an application, they can use an OAuth token to authenticate despite not having access to the organization from which the application was created. This issue is limited to authentication and not authorization. However, in configurations where endpoints rely only on authentication, a user may authenticate to applications they otherwise have no access to.
Metrics
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Quay | 3.0.0 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2283879Issue Tracking, Permissions Required
- https://bugzilla.redhat.com/show_bug.cgi?id=2283879Issue Tracking, Permissions Required
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-5891?
How severe is CVE-2024-5891?
How do I fix CVE-2024-5891?
Are you affected by CVE-2024-5891?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST