CVE-2023-4959

Quay: cross-site request forgery (csrf) on config-editor page

Description

A flaw was found in Quay. Cross-site request forgery (CSRF) attacks force a user to perform unwanted actions in an application. During the pentest, it was detected that the config-editor page is vulnerable to CSRF. The config-editor page is used to configure the Quay instance. By coercing the victim’s browser into sending an attacker-controlled request from another domain, it is possible to reconfigure the Quay instance (including adding users with admin privileges).

Remediation

Workaround:

  • To avoid the risk associated with this vulnerability, it is recommended to include a secret in all requests that may generate a change in the application's data. A secret is understood, for example, as an extra parameter, generated and sent to the client when accessing the web resource from which the request to be protected is launched. This secret must be generated randomly and be different for each request to be made. On the server side, the application must check that these requests, which cause significant modifications to the data, include the previously generated secrets. If this is not included or is erroneous, the application should not perform the corresponding action. In addition to this secret, it is recommended to set the "SameSite" attribute in the session cookie with the following values: - SameSite=Strict: this value prevents the cookie from being sent in any cross-origin request. - SameSite=Lax: this is the value that is recommended in this case as any action carried out via POST or via a script from a cross-origin will be rejected by the browser.

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.10%
Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat Quay 3
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/security/cve/CVE-2023-4959 vdb entry vendor advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2238908 vendor advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2023-4959?
CVE-2023-4959 has been scored as a medium severity vulnerability.
How to fix CVE-2023-4959?
As a workaround for remediating CVE-2023-4959: To avoid the risk associated with this vulnerability, it is recommended to include a secret in all requests that may generate a change in the application's data. A secret is understood, for example, as an extra parameter, generated and sent to the client when accessing the web resource from which the request to be protected is launched. This secret must be generated randomly and be different for each request to be made. On the server side, the application must check that these requests, which cause significant modifications to the data, include the previously generated secrets. If this is not included or is erroneous, the application should not perform the corresponding action. In addition to this secret, it is recommended to set the "SameSite" attribute in the session cookie with the following values: - SameSite=Strict: this value prevents the cookie from being sent in any cross-origin request. - SameSite=Lax: this is the value that is recommended in this case as any action carried out via POST or via a script from a cross-origin will be rejected by the browser.
Is CVE-2023-4959 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-4959 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-4959?
CVE-2023-4959 affects Red Hat Red Hat Quay 3.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.