CVE-2024-2700

Quarkus-core: leak of local configuration properties into quarkus applications

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.

Se encontró una vulnerabilidad en el componente quarkus-core. Quarkus captura las variables de entorno local del espacio de nombres de Quarkus durante la compilación de la aplicación. Por lo tanto, la ejecución de la aplicación resultante hereda los valores capturados en el momento de la compilación. Sin embargo, es posible que el entorno de desarrollador/CI haya configurado algunas variables de entorno local con fines de prueba, como eliminar la base de datos durante el inicio de la aplicación o confiar en que todos los certificados TLS acepten certificados autofirmados. Si estas propiedades se configuran mediante variables de entorno o la función .env, se capturan en la aplicación integrada. Conduce a un comportamiento peligroso si la aplicación no anula estos valores. Este comportamiento solo ocurre para las propiedades de configuración del espacio de nombres `quarkus.*`. Por lo tanto, las propiedades específicas de la aplicación no se capturan.

HawtIO 4.1.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, information leakage, and traversal vulnerabilities.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-20 CVE Reserved
2024-04-04 CVE Published
2024-07-15 EPSS Updated
2024-12-12 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable

CAPEC

References (8)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:2106	2024-07-14
https://access.redhat.com/errata/RHSA-2024:2705	2024-07-14
https://access.redhat.com/errata/RHSA-2024:3527	2024-07-14
https://access.redhat.com/errata/RHSA-2024:4028	2024-07-14
https://access.redhat.com/security/cve/CVE-2024-2700	2024-07-14
https://bugzilla.redhat.com/show_bug.cgi?id=2273281	2024-07-14
https://access.redhat.com/errata/RHSA-2024:11023	2024-12-12
https://access.redhat.com/errata/RHSA-2024:4873	2024-12-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Amq Streams Search vendor "Redhat" for product "Amq Streams"				*		-		Affected
Redhat Search vendor "Redhat"		Apicurio Registry Search vendor "Redhat" for product "Apicurio Registry"				*		-		Affected
Redhat Search vendor "Redhat"		Build Keycloak Search vendor "Redhat" for product "Build Keycloak"				*		-		Affected
Redhat Search vendor "Redhat"		Camel Quarkus Search vendor "Redhat" for product "Camel Quarkus"				*		-		Affected
Redhat Search vendor "Redhat"		Integration Search vendor "Redhat" for product "Integration"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Application Runtimes Search vendor "Redhat" for product "Openshift Application Runtimes"				*		-		Affected
Redhat Search vendor "Redhat"		Openshift Serverless Search vendor "Redhat" for product "Openshift Serverless"				*		-		Affected
Redhat Search vendor "Redhat"		Optaplanner Search vendor "Redhat" for product "Optaplanner"				*		-		Affected
Redhat Search vendor "Redhat"		Quarkus Search vendor "Redhat" for product "Quarkus"				*		-		Affected
Redhat Search vendor "Redhat"		Rhboac Hawtio Search vendor "Redhat" for product "Rhboac Hawtio"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected