CVE-2020-27831

CWE-284 — Improper Access Control CWE-522 — Insufficiently Protected Credentials4 documents4 sources

Severity

4.3MEDIUM

EPSS

0.1%

top 67.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Quay

Timeline

PublishedMay 27

Latest updateMay 24

Description

A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email notifications. This flaw allows an attacker to add email addresses they do not own to repository notifications.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDredhat/quay3.0.0 — 3.3.3

▶CVEListV5quayQuay 3.3.3

🔴Vulnerability Details

GHSA

GHSA-3mxm-3qx9-6gq2: A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email not↗2022-05-24

▶

CVEList

CVE-2020-27831: A flaw was found in Red Hat Quay, where it does not properly protect the authorization token when authorizing email addresses for repository email not↗2021-05-26

▶

📋Vendor Advisories

Red Hat

quay: email notifications authorization bypass↗2020-12-09

▶