Bug 1222717 (CVE-2024-3623)

Summary: VUL-0: CVE-2024-3623: mirror-registry: Default database secret key stored in plain-text on initial configuration file
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Thorsten Kukuk <kukuk>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: thomas.leroy
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/401399/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-12 09:07:56 UTC 
The default DATABASE_SECRET_KEY field is stored in plain text on the jinja's config.yaml file, leaving the possibility of every mirror-registry installation which hasn't changed ot to have the same DATABASE_SECRET_KEY.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-3623
https://bugzilla.redhat.com/show_bug.cgi?id=2274404
Comment 1 Thomas Leroy 2024-04-12 09:10:51 UTC 
This is for quay/mirror-registry not thkukuk/mirror-registry. Closing