CVE-2024-3625 identifies a security vulnerability in Quay, a popular container image registry, where a password is stored in plaintext within the mirror-registry's config.yaml file, which is rendered using Jinja templates. This plaintext storage exposes sensitive credentials for Quay's Redis instance, a critical backend component used for caching and data storage. An attacker who gains access to this configuration file—either through compromised system access or misconfigured permissions—can retrieve the Redis password and subsequently access or manipulate the Redis instance. The vulnerability has a CVSS 3.1 base score of 7.3, indicating high severity, with an attack vector of adjacent network (AV:A), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and impacting confidentiality and integrity substantially (C:H/I:H/A:N). The flaw does not affect availability but can lead to unauthorized data access or modification within Redis, potentially undermining the integrity of container registry operations. No specific affected versions are listed, and no patches have been linked yet, but the issue was published on April 25, 2024. The vulnerability underscores the risks of insecure credential storage in configuration files and the importance of strict access controls and encryption for sensitive data within container infrastructure components.

The primary impact of CVE-2024-3625 is unauthorized access to Quay's Redis instance due to exposure of plaintext credentials. This can lead to confidentiality breaches where sensitive data cached or stored in Redis is accessed by unauthorized parties. Integrity is also at risk, as attackers could modify or inject malicious data into Redis, potentially disrupting container image management, deployment workflows, or security policies enforced via Quay. While availability is not directly impacted, the compromise of Redis could indirectly affect service reliability or trustworthiness. Organizations relying on Quay for container image storage and distribution may face operational disruptions, data leakage, or further lateral movement within their infrastructure if attackers leverage this vulnerability. The requirement for low privileges and no user interaction lowers the barrier for exploitation once access to the config.yaml file is obtained, making it a significant risk especially in environments with weak file permission controls or insider threats.

To mitigate CVE-2024-3625, organizations should immediately audit and restrict access permissions on the mirror-registry's config.yaml file to ensure only authorized system processes and administrators can read it. Employ file system access controls (e.g., Linux file permissions, SELinux/AppArmor policies) to prevent unauthorized local or network users from accessing sensitive configuration files. Encrypt sensitive credentials stored in configuration files or use secret management solutions (e.g., HashiCorp Vault, Kubernetes Secrets) to avoid plaintext storage. Monitor access logs for unusual or unauthorized attempts to read configuration files or connect to Redis. Network segmentation should isolate Redis instances, limiting access to trusted hosts only. Apply any patches or updates released by Quay maintainers promptly once available. Additionally, consider rotating Redis passwords and credentials after remediation to invalidate any potentially compromised secrets. Regular security reviews of container registry infrastructure and configuration management practices are recommended to prevent similar issues.