Red Hat Quay Server-Side Request Forgery Vulnerability in Proxy Cache Configuration

A server-side request forgery (SSRF) vulnerability exists in Red Hat Quay versions 3.12.x, specifically within the Proxy Cache configuration feature. This flaw allows an authenticated organization administrator to provide a crafted hostname that Quay will connect to, without verifying if it leads to a legitimate external service. As a result, the Quay server could be manipulated to access internal network services, cloud infrastructure endpoints, or other resources that should be off-limits from the Quay application.

Impact

Exploitation of this vulnerability could enable an attacker to make the Quay server access restricted internal resources or services, potentially bypassing access controls such as firewalls.

Reproduction

To reproduce this vulnerability, an organization administrator must log into the Red Hat Quay application and navigate to the Proxy Cache configuration feature. While setting up or validating a proxy cache, the administrator can input a hostname that directs to an internal service or cloud endpoint. Quay will establish a network connection to the provided hostname without any validation, thereby exploiting the SSRF vulnerability.