CVE-2024-3622 is a vulnerability identified in the deployment process of Quay container registry instances when installed using mirror-registry. The root cause is the use of a default secret key that is stored in plaintext within one of the configuration template files. Because this secret is not unique per deployment and is exposed in plaintext, all Quay instances installed this way share the same secret key. This secret is used to sign session cookies, so an attacker who obtains the secret can craft valid session cookies to impersonate legitimate users or administrators. The vulnerability has a CVSS 3.1 score of 8.8, indicating high severity, with attack vector being network-based, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. The flaw allows malicious actors to bypass authentication controls by forging session tokens, potentially leading to full system compromise. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to any organization deploying Quay via mirror-registry without changing the default secret.

The impact of CVE-2024-3622 is substantial for organizations using Quay registries deployed through mirror-registry. Attackers can gain unauthorized access to the container registry, which may contain sensitive container images, credentials, and deployment artifacts. This unauthorized access can lead to data exfiltration, tampering with container images, insertion of malicious code, and disruption of containerized application deployments. The ability to forge session cookies undermines authentication and session management, increasing the risk of privilege escalation and lateral movement within the network. Given the widespread use of container registries in DevOps pipelines, this vulnerability could disrupt software supply chains and impact business continuity. Organizations relying on Quay for container image management must consider this a critical security risk.

To mitigate CVE-2024-3622, organizations should immediately avoid deploying Quay using mirror-registry with default configuration templates containing plaintext secrets. They must generate and configure unique, strong secret keys for each Quay instance, ensuring these secrets are stored securely and not embedded in plaintext within configuration files. Implement strict access controls and encryption for configuration management. Regularly audit deployed configurations to detect any use of default or weak secrets. Additionally, monitor session activities for anomalies that may indicate forged cookies or unauthorized access. Applying any vendor patches or updates addressing this vulnerability as soon as they become available is critical. Finally, consider network segmentation and limiting access to the Quay registry to trusted users and systems to reduce attack surface.