Red Hat Quay LDAP and SMTP Validation Functions Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in the Red Hat Quay config-tool's LDAP and SMTP validation functions. This flaw allows an attacker with config editor access to exploit these functions, which make outbound connections to user-supplied endpoints without proper IP or host filtering. As a result, the attacker could perform internal network reconnaissance from the Quay pod's network position, potentially mapping the internal network infrastructure. This vulnerability affects Red Hat Quay versions 3.0 through 3.16.

Impact

Exploitation of this vulnerability could lead to unauthorized internal network reconnaissance, allowing an attacker to map the internal network infrastructure from the Quay pod's network position.

Reproduction

To reproduce this vulnerability, an attacker must have config editor access on a Red Hat Quay instance version 3.0 through 3.16. The vulnerability can be exploited by using the Quay config-tool to validate LDAP or SMTP configurations. During this process, the tool will make outbound connections to the specified endpoints without proper filtering, allowing the attacker to conduct network reconnaissance.

Remediation

Users can upgrade to Red Hat Quay version 3.17 or later, where the config editor web application has been removed, limiting the attack vector. For versions 3.0 through 3.16, the vulnerability can be addressed by avoiding the use of the config-tool's LDAP and SMTP validation functions.