CVE-2024-3625 Mirror-registry: redis password stored in plain-text

🗓️ 25 Apr 2024 17:46:52Reported by redhatType

Flaw in Quay's mirror-registry leaves Redis password expose

Reporter	Title	Published	Views	Family All 8
BDU FSTEC	The vulnerability of the software for creating local copies of deleted container registry entries, known as the Mirror registry for Red Hat OpenShift, arises from the unencrypted storage of critical information. This allows an intruder to gain unauthorized access to a Redis instance.	20 May 202400:00	–	bdu_fstec
CNNVD	Red Hat OpenShift 安全漏洞	10 Apr 202400:00	–	cnnvd
CVE	CVE-2024-3625	25 Apr 202417:46	–	cve
EUVD	EUVD-2024-32204	3 Oct 202520:07	–	euvd
NVD	CVE-2024-3625	25 Apr 202418:15	–	nvd
Positive Technologies	PT-2024-3595 · Redis +2 · Redis +2	10 Apr 202400:00	–	ptsecurity
RedhatCVE	CVE-2024-3625	10 Apr 202421:22	–	redhatcve
Vulnrichment	CVE-2024-3625 Mirror-registry: redis password stored in plain-text	25 Apr 202417:46	–	vulnrichment

[
  {
    "packageName": "mirror-registry",
    "collectionURL": "https://github.com/quay/mirror-registry",
    "defaultStatus": "affected"
  },
  {
    "vendor": "Red Hat",
    "product": "mirror registry for Red Hat OpenShift",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "mirror-registry-container",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:mirror_registry:1"
    ]
  }
]

Source	Link
access	www.access.redhat.com/security/cve/CVE-2024-3625
bugzilla	www.bugzilla.redhat.com/show_bug.cgi

20 Nov 2025 18:38Current

7.3High risk

Vulners AI Score7.3

CVSS 3.17.3

EPSS0.00049

CWE-256