Red Hat Quay GitLab OAuth Credential Exposure Vulnerability

A vulnerability exists in the Quay config-tool's GitLab OAuth validator, where sensitive credentials such as client_id and client_secret are sent in plaintext via URL query parameters during POST requests to GitLab. This flaw can result in these credentials being logged in various system logs, including server access logs and reverse proxy logs. An attacker with access to these logs could intercept the credentials, leading to unauthorized information disclosure.

Impact

Exposing GitLab OAuth client credentials in URL query strings can allow attackers to access sensitive information or impersonate users, potentially leading to unauthorized actions or data access.

Reproduction

The vulnerability can be reproduced by configuring Quay to use GitLab OAuth for authentication. When a POST request is made to the GitLab endpoint, the client_id and client_secret will be included in the URL query parameters in plaintext. This can be verified by checking the server access logs or any reverse proxy logs that capture the request details.