A vulnerability was found in quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application's build. Thus, running the resulting application inherits the values captured at build time. However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It leads to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. So, application-specific properties are not captured.
This issue has been addressed in the following products: Red Hat build of Quarkus 3.8.4 Via RHSA-2024:2106 https://access.redhat.com/errata/RHSA-2024:2106
This issue has been addressed in the following products: Red Hat build of Quarkus 3.2.12 Via RHSA-2024:2705 https://access.redhat.com/errata/RHSA-2024:2705
This issue has been addressed in the following products: Red Hat AMQ Streams 2.7.0 Via RHSA-2024:3527 https://access.redhat.com/errata/RHSA-2024:3527
This issue has been addressed in the following products: RHOSS-1.33-RHEL-8 Via RHSA-2024:4028 https://access.redhat.com/errata/RHSA-2024:4028
This issue has been addressed in the following products: Red Hat build of Apicurio Registry 2.6.1 GA Via RHSA-2024:4873 https://access.redhat.com/errata/RHSA-2024:4873
This issue has been addressed in the following products: HawtIO 4.0.0 for Red Hat build of Apache Camel 4 Via RHSA-2024:11023 https://access.redhat.com/errata/RHSA-2024:11023