Quarkus CXF Vulnerability: Hidden Passwords and Secrets at Risk
CVE-2024-9621

5.3MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Build Of Apache Camel 4.4 For Quarkus 3.8
Vendor
CVE Published:
8 October 2024

Summary

A security issue exists in Quarkus CXF where sensitive information like passwords can be inadvertently logged, despite user configurations intended to keep these details hidden. This vulnerability requires specific configurations to be exposed, including the enablement of SOAP logging, along with the presence of user-set client and endpoint logging properties. Attackers with access to the application logs can exploit this flaw for unauthorized data access, highlighting the importance of stringent logging practices in application security.

References

https://access.redhat.com/errata/RHSA-2024:10035
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-9621
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2317130
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Rolf Thorup for reporting this issue.
.