We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Bugpilot (Bug tracking)

Ok

THREATINT CVE Home CVE Diag Help
PUBLISHED

CVE-2024-2700

Quarkus-core: leak of local configuration properties into quarkus applications

Reserved:2024-03-20
Published:2024-04-04
Updated:2024-04-17

Description

A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.



HIGH: 7.0CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem types

Cleartext Storage of Sensitive Information in an Environment Variable

Product status

Default status
affected

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
unknown

Default status
affected

Default status
unknown

Default status
unknown

Default status
unknown

Timeline

2024-04-03:Reported to Red Hat.
2024-04-03:Made public.

References

https://access.redhat.com/security/cve/CVE-2024-2700 vdb-entry

https://bugzilla.redhat.com/show_bug.cgi?id=2273281 (RHBZ#2273281) issue-tracking

cve.org CVE-2024-2700

nvd.nist.gov CVE-2024-2700

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-2700