Quarkus-core: leak of local configuration properties into quarkus applications
CVE-2024-2700

7HIGH

Key Information:

Status
Hawtio 4.0.0 For Red Hat Build Of Apache Camel 4
Red Hat AMQ Streams 2.7.0
Red Hat Build Of Apicurio Registry 2.6.1 Ga
Vendor
CVE Published:
4 April 2024

What is CVE-2024-2700?

A vulnerability exists in the Quarkus core component, where local environment variables prefixed by 'quarkus.' can be inadvertently inherited by the application during its build process. This occurs when developers or CI environments utilize such variables for testing purposes, like database modifications or TLS certificate trust settings. If these properties are not explicitly overridden in the application code, their presence in the built application can lead to risky behaviors, potentially exposing the application to unintended effects or vulnerabilities. It's important to note that this behavior is limited to the 'quarkus.' namespace, and application-specific properties remain unaffected.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2024:11023
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2106
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2705
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.