2273281 – (CVE-2024-2700) CVE-2024-2700 quarkus-core: Leak of local configuration properties into Quarkus applications

Bug 2273281 (CVE-2024-2700) - CVE-2024-2700 quarkus-core: Leak of local configuration properties into Quarkus applications

Summary: CVE-2024-2700 quarkus-core: Leak of local configuration properties into Quark...

Keywords:
Status:	NEW
Alias:	CVE-2024-2700
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2273280
TreeView+	depends on / blocked

Reported:	2024-04-04 01:50 UTC by Patrick Del Bello
Modified:	2024-04-17 19:26 UTC (History)
CC List:	56 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2024-04-04 01:50:34 UTC

A vulnerability was found in quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time.

However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It leads to dangerous behavior if the application does not override these values.

This behavior only happens for configuration properties from the `quarkus.*` namespace. So, application-specific properties are not captured.

Note You need to log in before you can comment on or make changes to this bug.

adupliak
aileenc
anstephe
avibelli
bgeorges
boliveir
chazlett
clement.escoffier
cmiranda
dandread
dhanak
dkreling
dpalmer
drichtar
dsimansk
eric.wittmann
fmongiar
gsmet
hamadhan
janstey
jmartisk
jnethert
kingland
kverlaen
lhein
lthon
matzew
max.andersen
mmillson
mnovotny
mosmerov
mulliken
olubyans
pantinor
parichar
pcongius
pdrozd
peholase
pgallagh
pierdipi
pjindal
probinso
pskopek
rguimara
rhuss
rowaters
rruss
rsvoboda
saroy
sausingh
sbiarozk
sdouglas
skontopo
sthorger
tasato
tqvarnst