CVE-2024-2700

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-2700
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.

7.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2024:2106
https://access.redhat.com/errata/RHSA-2024:2705
https://access.redhat.com/errata/RHSA-2024:3527
https://access.redhat.com/errata/RHSA-2024:4028
https://access.redhat.com/errata/RHSA-2024:4873
https://access.redhat.com/security/cve/CVE-2024-2700
https://bugzilla.redhat.com/show_bug.cgi?id=2273281
https://access.redhat.com/errata/RHSA-2024:2106
https://access.redhat.com/errata/RHSA-2024:2705
https://access.redhat.com/errata/RHSA-2024:3527
https://access.redhat.com/errata/RHSA-2024:4028
https://access.redhat.com/errata/RHSA-2024:4873
https://access.redhat.com/security/cve/CVE-2024-2700
https://bugzilla.redhat.com/show_bug.cgi?id=2273281
Configurations

No configuration.

History

21 Nov 2024, 09:10

Type Values Removed Values Added
References () https://access.redhat.com/errata/RHSA-2024:2106 - () https://access.redhat.com/errata/RHSA-2024:2106 -
References () https://access.redhat.com/errata/RHSA-2024:2705 - () https://access.redhat.com/errata/RHSA-2024:2705 -
References () https://access.redhat.com/errata/RHSA-2024:3527 - () https://access.redhat.com/errata/RHSA-2024:3527 -
References () https://access.redhat.com/errata/RHSA-2024:4028 - () https://access.redhat.com/errata/RHSA-2024:4028 -
References () https://access.redhat.com/errata/RHSA-2024:4873 - () https://access.redhat.com/errata/RHSA-2024:4873 -
References () https://access.redhat.com/security/cve/CVE-2024-2700 - () https://access.redhat.com/security/cve/CVE-2024-2700 -
References () https://bugzilla.redhat.com/show_bug.cgi?id=2273281 - () https://bugzilla.redhat.com/show_bug.cgi?id=2273281 -

25 Jul 2024, 21:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:4873 -

14 Jul 2024, 22:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:2106 -

20 Jun 2024, 17:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:4028 -

31 May 2024, 01:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:3527 -

09 May 2024, 16:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2024:2705 -

17 Apr 2024, 20:15

Type Values Removed Values Added
Summary
  • (es) Se encontró una vulnerabilidad en el componente quarkus-core. Quarkus captura las variables de entorno local del espacio de nombres de Quarkus durante la compilación de la aplicación. Por lo tanto, la ejecución de la aplicación resultante hereda los valores capturados en el momento de la compilación. Sin embargo, es posible que el entorno de desarrollador/CI haya configurado algunas variables de entorno local con fines de prueba, como eliminar la base de datos durante el inicio de la aplicación o confiar en que todos los certificados TLS acepten certificados autofirmados. Si estas propiedades se configuran mediante variables de entorno o la función .env, se capturan en la aplicación integrada. Conduce a un comportamiento peligroso si la aplicación no anula estos valores. Este comportamiento solo ocurre para las propiedades de configuración del espacio de nombres `quarkus.*`. Por lo tanto, las propiedades específicas de la aplicación no se capturan.
Summary (en) A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time. However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It leads to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. So, application-specific properties are not captured. (en) A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.

04 Apr 2024, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-04 14:15

Updated : 2024-11-21 09:10

NVD link : CVE-2024-2700

Mitre link : CVE-2024-2700

CVE.ORG link : CVE-2024-2700

JSON object : View

Products Affected

No product.

CWE
CWE-526

Cleartext Storage of Sensitive Information in an Environment Variable


NetmanageIT Website NetmanageIT OSINT Web NetmanageIT OpenCTI NetmanageIT PDF Tools NetmanageIT CTO Corner Blog NetmanageIT Email Header Analyzer NetmanageIT Password Pusher NetmanageIT Internet Health and Latency Dashboard NetmanageIT Dedicated Speed Test Site NetmanageIT Ubuntu Mirror 10Gbps Copyright OpenCVE 2024