CVE-2024-3624
📋 TL;DR
This vulnerability in Quay's mirror-registry exposes database credentials stored in plain-text within the jinja config.yaml file. An attacker with access to this file can gain unauthorized access to Quay's database. This affects systems running vulnerable versions of Quay mirror-registry with the default configuration.
💻 Affected Systems
- Quay mirror-registry
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Quay database leading to data theft, data manipulation, or complete system takeover.
Likely Case
Unauthorized database access allowing extraction of sensitive container registry data and credentials.
If Mitigated
Limited impact if file permissions restrict access to authorized users only.
🎯 Exploit Status
Exploitation requires file system access to read the config.yaml file.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions.
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-3624
Restart Required: Yes
Instructions:
1. Update Quay mirror-registry to the latest patched version. 2. Restart the Quay service. 3. Verify credentials are no longer stored in plain-text.
🔧 Temporary Workarounds
Secure file permissions
linuxRestrict access to config.yaml file to only necessary users.
chmod 600 /path/to/config.yaml
chown root:root /path/to/config.yaml
Encrypt credentials
linuxMove database credentials to encrypted storage or environment variables.
export DB_PASSWORD='encrypted_value'
Update config.yaml to reference environment variables
🧯 If You Can't Patch
- Implement strict file system access controls on config.yaml
- Monitor for unauthorized access attempts to the config file
🔍 How to Verify
Check if Vulnerable:
Inspect config.yaml for plain-text database credentials in jinja sections.Check Version:
quay --version or check package manager (e.g., rpm -q quay-mirror-registry)Verify Fix Applied:
Confirm config.yaml no longer contains plain-text database credentials and uses secure methods.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file access attempts to config.yaml
- Database connection attempts from unexpected sources
Network Indicators:
- Unusual database queries or connections
SIEM Query:
source="file_access" AND file_path="*config.yaml" AND user!="authorized_user"