Bug 2273281 (CVE-2024-2700)
| Summary: | CVE-2024-2700 quarkus-core: Leak of local configuration properties into Quarkus applications | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adupliak, aileenc, anstephe, avibelli, bgeorges, boliveir, chazlett, clement.escoffier, cmiranda, dandread, dhanak, dkreling, dpalmer, drichtar, dsimansk, eric.wittmann, fmongiar, gsmet, janstey, jmartisk, jnethert, kingland, kverlaen, lthon, matzew, max.andersen, mmillson, mnovotny, mosmerov, mulliken, olubyans, pantinor, parichar, pcongius, pdrozd, peholase, pgallagh, pierdipi, pjindal, probinso, pskopek, rguimara, rhuss, rowaters, rruss, rsvoboda, saroy, sausingh, sbiarozk, sthorger, tasato, tqvarnst |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2273280 | ||
|
Description
Patrick Del Bello
2024-04-04 01:50:34 UTC
This issue has been addressed in the following products: Red Hat build of Quarkus 3.8.4 Via RHSA-2024:2106 https://access.redhat.com/errata/RHSA-2024:2106 This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.12 Via RHSA-2024:2705 https://access.redhat.com/errata/RHSA-2024:2705 This issue has been addressed in the following products: Red Hat AMQ Streams 2.7.0 Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527 This issue has been addressed in the following products: RHOSS-1.33-RHEL-8 Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028 This issue has been addressed in the following products: Red Hat build of Apicurio Registry 2.6.1 GA Via RHSA-2024:4873 https://access.redhat.com/errata/RHSA-2024:4873 This issue has been addressed in the following products: HawtIO 4.0.0 for Red Hat build of Apache Camel 4 Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023 |