Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Important: Red Hat Quay security update

Related Vulnerabilities: CVE-2023-23931   CVE-2023-25577   CVE-2023-30861  

Source

Synopsis

Important: Red Hat Quay security update

Type/Severity

Security Advisory: Important

Topic

An update is now available for Red Hat Quay 3.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

An update is now available for Red Hat Quay 3.

Security Fix(es):

  • python-werkzeug: high resource usage when parsing multipart form data with many fields (CVE-2023-25577)
  • flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header (CVE-2023-30861)
  • python-cryptography: memory corruption via immutable objects (CVE-2023-23931)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Quay for IBM Power, little endian 3 ppc64le
  • Red Hat Quay for IBM Z and LinuxONE 3 s390x
  • Red Hat Quay 3 x86_64

Fixes

  • BZ - 2170242 - CVE-2023-25577 python-werkzeug: high resource usage when parsing multipart form data with many fields
  • BZ - 2171817 - CVE-2023-23931 python-cryptography: memory corruption via immutable objects
  • BZ - 2196643 - CVE-2023-30861 flask: Possible disclosure of permanent session cookie due to missing Vary: Cookie header
  • PROJQUAY-2462 - Consider changing the type of the removed_tag_expiration_s from integer to bigint
  • PROJQUAY-2803 - Quay should notify Clair when manifests are garbage collected
  • PROJQUAY-3906 - Quay can see the push image on Console after push image get error "Quota has been exceeded on namespace"
  • PROJQUAY-4126 - Clair database growing
  • PROJQUAY-5021 - Remove the config editor
  • PROJQUAY-5212 - Quay 3.8.1 can't mirror OCI images from Docker Hub
  • PROJQUAY-5489 - Pushing an artifact to Quay with oras binary results in a 502
  • PROJQUAY-5506 - Auto-Pruning Policies for Organizations
  • PROJQUAY-5598 - Log auditing tries to write to the database in read-only mode
  • PROJQUAY-5957 - Core UI Functionality: Teams & Membership
  • PROJQUAY-5958 - Core UI Functionality: Tag History, Labels, & Expiration
  • PROJQUAY-5959 - Core UI Functionality: Settings & Permissions
  • PROJQUAY-5960 - Core UI Functionality: Robot Accounts
  • PROJQUAY-5963 - Core UI Functionality: Default Permissions
  • PROJQUAY-6010 - Registry quota total worker fails to start due to import
  • PROJQUAY-6048 - Poor UI performance with quotas enabled
  • PROJQUAY-6184 - ui: Add missing props for Create robot account modal

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started