CVE-2019-3864
HIGHRed Hat Quay < 3.0.0 - Cross-Site Request Forgery via Reused CSRF Token
Title source: llmDescription
A vulnerability was discovered in all quay-2 versions before quay-3.0.0, in the Quay web GUI where POST requests include a specific parameter which is used as a CSRF token. The token is not refreshed for every request or when a user logged out and in again. An attacker could use a leaked token to gain access to the system using the user's account.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3864
Scores
CVSS v3
8.8
EPSS
0.0016
EPSS Percentile
36.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (1)
redhat/quay
< 3.0.0
Published
Jan 21, 2020
Tracked Since
Feb 18, 2026