CVE-2025-4374

Published: May 6, 2025Modified: Jul 31, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in Quay. When an organization acts as a proxy cache, and a user or robot pulls an image that hasn't been mirrored yet, they are granted "Admin" permissions on the newly created repository.

Affected (1)

Products: Redhat: Quay

Redhat

1 product

Quay

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Quay	Up to 3.14.0

Related CWEs

CWE-266

Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References (2)

https://access.redhat.com/security/cve/CVE-2025-4374

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2364267

Source: secalert@redhat.com

Vendor Advisory

Timeline

No history available yet.