Quarkus-core: leak of local configuration properties into quarkus applications
CVE-2024-2700

7HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat AMQ Streams 2.7.0
Red Hat Build Of Apicurio Registry 2.6.1 Ga
Red Hat Build Of Quarkus 3.2.12.final
Red Hat Build Of Quarkus 3.8.4.Red Hat
Vendor
CVE Published:
4 April 2024

Summary

A vulnerability exists in the Quarkus core component, where local environment variables prefixed by 'quarkus.' can be inadvertently inherited by the application during its build process. This occurs when developers or CI environments utilize such variables for testing purposes, like database modifications or TLS certificate trust settings. If these properties are not explicitly overridden in the application code, their presence in the built application can lead to risky behaviors, potentially exposing the application to unintended effects or vulnerabilities. It's important to note that this behavior is limited to the 'quarkus.' namespace, and application-specific properties remain unaffected.

References

https://access.redhat.com/errata/RHSA-2024:2106
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2705
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3527
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Collectors

NVD DatabaseMitre Database
.