Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0099
Red Hat Quay v3.3.3 bug fix and security update
12 January 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat Quay v3.3.3
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Existing Account
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27832 CVE-2020-27831 CVE-2020-24659
CVE-2020-15503 CVE-2020-14422 CVE-2020-14391
CVE-2020-14382 CVE-2020-13632 CVE-2020-13631
CVE-2020-13630 CVE-2020-11793 CVE-2020-10029
CVE-2020-10018 CVE-2020-9925 CVE-2020-9915
CVE-2020-9895 CVE-2020-9894 CVE-2020-9893
CVE-2020-9862 CVE-2020-9850 CVE-2020-9843
CVE-2020-9807 CVE-2020-9806 CVE-2020-9805
CVE-2020-9803 CVE-2020-9802 CVE-2020-9327
CVE-2020-8492 CVE-2020-7595 CVE-2020-6405
CVE-2020-3902 CVE-2020-3901 CVE-2020-3900
CVE-2020-3899 CVE-2020-3897 CVE-2020-3895
CVE-2020-3894 CVE-2020-3885 CVE-2020-3868
CVE-2020-3867 CVE-2020-3865 CVE-2020-3864
CVE-2020-3862 CVE-2020-1971 CVE-2020-1752
CVE-2020-1751 CVE-2020-1730 CVE-2019-20916
CVE-2019-20907 CVE-2019-20807 CVE-2019-20454
CVE-2019-20388 CVE-2019-20387 CVE-2019-20218
CVE-2019-19956 CVE-2019-19906 CVE-2019-19221
CVE-2019-16935 CVE-2019-16168 CVE-2019-15903
CVE-2019-15165 CVE-2019-14889 CVE-2019-13627
CVE-2019-13050 CVE-2019-8846 CVE-2019-8844
CVE-2019-8835 CVE-2019-8823 CVE-2019-8820
CVE-2019-8819 CVE-2019-8816 CVE-2019-8815
CVE-2019-8814 CVE-2019-8813 CVE-2019-8812
CVE-2019-8811 CVE-2019-8808 CVE-2019-8783
CVE-2019-8782 CVE-2019-8771 CVE-2019-8769
CVE-2019-8766 CVE-2019-8764 CVE-2019-8743
CVE-2019-8720 CVE-2019-8710 CVE-2019-8625
CVE-2019-5018 CVE-2018-20843
Reference: ASB-2020.0226
ASB-2019.0307
ESB-2021.0089
ESB-2020.4514
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0050
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat Quay v3.3.3 bug fix and security update
Advisory ID: RHSA-2021:0050-01
Product: Red Hat Quay
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0050
Issue date: 2021-01-11
CVE Names: CVE-2018-20843 CVE-2019-5018 CVE-2019-8625
CVE-2019-8710 CVE-2019-8720 CVE-2019-8743
CVE-2019-8764 CVE-2019-8766 CVE-2019-8769
CVE-2019-8771 CVE-2019-8782 CVE-2019-8783
CVE-2019-8808 CVE-2019-8811 CVE-2019-8812
CVE-2019-8813 CVE-2019-8814 CVE-2019-8815
CVE-2019-8816 CVE-2019-8819 CVE-2019-8820
CVE-2019-8823 CVE-2019-8835 CVE-2019-8844
CVE-2019-8846 CVE-2019-13050 CVE-2019-13627
CVE-2019-14889 CVE-2019-15165 CVE-2019-15903
CVE-2019-16168 CVE-2019-16935 CVE-2019-19221
CVE-2019-19906 CVE-2019-19956 CVE-2019-20218
CVE-2019-20387 CVE-2019-20388 CVE-2019-20454
CVE-2019-20807 CVE-2019-20907 CVE-2019-20916
CVE-2020-1730 CVE-2020-1751 CVE-2020-1752
CVE-2020-1971 CVE-2020-3862 CVE-2020-3864
CVE-2020-3865 CVE-2020-3867 CVE-2020-3868
CVE-2020-3885 CVE-2020-3894 CVE-2020-3895
CVE-2020-3897 CVE-2020-3899 CVE-2020-3900
CVE-2020-3901 CVE-2020-3902 CVE-2020-6405
CVE-2020-7595 CVE-2020-8492 CVE-2020-9327
CVE-2020-9802 CVE-2020-9803 CVE-2020-9805
CVE-2020-9806 CVE-2020-9807 CVE-2020-9843
CVE-2020-9850 CVE-2020-9862 CVE-2020-9893
CVE-2020-9894 CVE-2020-9895 CVE-2020-9915
CVE-2020-9925 CVE-2020-10018 CVE-2020-10029
CVE-2020-11793 CVE-2020-13630 CVE-2020-13631
CVE-2020-13632 CVE-2020-14382 CVE-2020-14391
CVE-2020-14422 CVE-2020-15503 CVE-2020-24659
CVE-2020-27831 CVE-2020-27832
=====================================================================
1. Summary:
Red Hat Quay v3.3.3 is now available with bug fixes and security updates.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE
link(s) in the References section.
Note: Red Hat Quay v3.3.2 was not released publicly.
2. Description:
This release of Red Hat Quay v3.3.3 includes:
Security Update(s):
* quay: persistent XSS in repository notification display (CVE-2020-27832)
* quay: email notifications authorization bypass (CVE-2020-27831)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Bug Fix(es):
* NVD feed fixed in Clair-v2 (clair-jwt image)
3. Solution:
Download the release images via:
quay.io/redhat/quay:v3.3.3
quay.io/redhat/clair-jwt:v3.3.3
quay.io/redhat/quay-builder:v3.3.3
quay.io/redhat/clair:v3.3.3
4. Bugs fixed (https://bugzilla.redhat.com/):
1905758 - CVE-2020-27831 quay: email notifications authorization bypass
1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display
5. JIRA issues fixed (https://issues.jboss.org/):
PROJQUAY-1124 - NVD feed is broken for latest Clair v2 version
6. References:
https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15165
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20807
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2019-20916
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8492
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-9802
https://access.redhat.com/security/cve/CVE-2020-9803
https://access.redhat.com/security/cve/CVE-2020-9805
https://access.redhat.com/security/cve/CVE-2020-9806
https://access.redhat.com/security/cve/CVE-2020-9807
https://access.redhat.com/security/cve/CVE-2020-9843
https://access.redhat.com/security/cve/CVE-2020-9850
https://access.redhat.com/security/cve/CVE-2020-9862
https://access.redhat.com/security/cve/CVE-2020-9893
https://access.redhat.com/security/cve/CVE-2020-9894
https://access.redhat.com/security/cve/CVE-2020-9895
https://access.redhat.com/security/cve/CVE-2020-9915
https://access.redhat.com/security/cve/CVE-2020-9925
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-14382
https://access.redhat.com/security/cve/CVE-2020-14391
https://access.redhat.com/security/cve/CVE-2020-14422
https://access.redhat.com/security/cve/CVE-2020-15503
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-27831
https://access.redhat.com/security/cve/CVE-2020-27832
https://access.redhat.com/security/updates/classification/#moderate
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBX/v/8tzjgjWX9erEAQjpBA//cBROsr6OlFT9Ug7n2kXtMABJl3pOA2Tb
b18R3acHG6GWpZw/+rrJlmkP/M39CaaZLIJuoI5R2vAx1OvjLFBrgER2tELKP9WW
c1c9Zyp1JOtaOaQIvGbO9D5PnyT8V/VD7SFj8/vCl4zjR+wxAFxfmaWlM3kiXb5w
rKQb1kBakB+OwGCDwi28J8ogS4jCCWROPndLdyRCfgtKFg0GWJ58ZmkC2v2tu/S2
8fejJZ7QcELjZiYcAjI/7ISWdqBZ9+sjHAQMe8GqtEwBs0jAEOAS43yrkmrOXZZ8
kv2jjdjFomzsHe3HnHOGRjLvAhtLIhZOGLH7HdC2EIClYlCr4ET+rlSfcDJmhefY
h+Cz6WOqURcM7vNBwz1cVl+dFjsyC/mV1+yDNDYr6giw7apOcu03CZzjVZEyT1wW
zw9Lnjafis4puyZjMTN5hi3guAP7hinpdBvnsCceGYbO37wbZnIzmbPQ27epAcUM
HamtyjBSsiowZbcvpAlDH733UjRFXEbbg6KcryDImR2fZIICHBbzYNmrC1vTCyCR
MXGTraJQ4YrHaFn9WQqd4gSjvTld7GEWLQ3l8xbUrqKa2HOy3Twpu5zFB1BfiJh0
/mpnu+K+QiIIJHHq299y8Syq3G33iFtDSfqPWG8rAPpqFmhl4hdTpPpVDnWPVM9z
qTma8bI94e4=
=rKFh
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX/0RHuNLKJtyKPYoAQgdhhAAnSA1zR/uzK/k1zdVkyX747PKqcdYX2QO
FZQxZoRzFLX6pfHQA8eALUtUTn5WcooaqNgRtJNj4DN/d7nrx0P/ZMC5TyIkcaCz
kTdAjJ22q8ufY7ePB0z4EDuZZ3zc0h6dQLLxcp9+3CH/90YpglQUi+YejRWLshFZ
4eavmXbegqAIkTKJGAt1+/oriodyfsFTUXZzlzTybaZ5QI67TpwY0+3EFgcd3Huj
76naeNw4XgfCsZqbk3elL6jxuWdDejB/OKpy9j17WB5stFcMJqMZmr5yDoqCeDJl
ONYD8rtRkIxswX/NbKgmQL+xSELA6b1ynMr3Lasng0Yny9T78731kOeScoStbFuk
/AxpPGqzju2x1ZSV/jxh3hv6CHUMPx7h5xN/ZXxZTtUXpdQvcOfCUf54ENTsMsVA
lTLcC/PrBluifs0hPFU2J5OHZvUiHcdI+esyoIW0vPtkn8jF42F6jXHnE++DZ2BM
E3Vil5TSBp/bsDTX0KLlZlHJeTEomBKWK0LeNQZgGjRJI6lpc0ow3c6f/7pUGr8j
S01bN6tu3SLgNd4UGlVD+uHG9Qm4Uom841DcoX8kMpzDiT6mFWB0lXjXx8IW+HFh
aZgZhG1LkTTTSGPi0VRXaVFBH4PCvRdsRbp1q1eokn01Ry8hy/dBjGe2qDG13Uo5
7X0z/+9/uMY=
=uiyz
-----END PGP SIGNATURE-----