Vulnerability Details : CVE-2019-10205
A flaw was found in the way Red Hat Quay stores robot account tokens in plain text. An attacker able to perform database queries in the Red Hat Quay database could use the tokens to read or write container images stored in the registry.
Products affected by CVE-2019-10205
- cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10205
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10205
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST | |
6.0
|
MEDIUM | CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:H |
0.5
|
5.5
|
Red Hat, Inc. | |
6.3
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H |
0.8
|
5.5
|
NIST |
CWE ids for CVE-2019-10205
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by:
- nvd@nist.gov (Secondary)
- secalert@redhat.com (Primary)
References for CVE-2019-10205
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10205
1732190 – (CVE-2019-10205) CVE-2019-10205 quay: Red Hat Quay stores robot account tokens in plain textIssue Tracking;Vendor Advisory
Jump to