CVE-2025-4374 | THREATINT

Description

A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasn't been mirrored yet, they are granted "Admin" permissions on the newly created repository.

PUBLISHED Reserved 2025-05-06 | Published 2025-05-06 | Updated 2026-02-27 | Assigner redhat

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

Incorrect Privilege Assignment

Product status

Default status

unaffected

Any version before 3.11.11

affected

2.14.0 (semver) before 3.14.2

affected

3.12.0 (semver) before 3.12.10

affected

Default status

affected

Timeline

2025-05-06:	Reported to Red Hat.
2025-05-06:	Made public.

References

access.redhat.com/security/cve/CVE-2025-4374 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2364267 (RHBZ#2364267) issue-tracking

cve.org (CVE-2025-4374)

nvd.nist.gov (CVE-2025-4374)

Download JSON