CVE-2024-2700

Quarkus-core: leak of local configuration properties into quarkus applications

Description

A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.

Remediation

Workaround:

Currently, no mitigation is available for this vulnerability. Please update as the patches become available.

References

Link	Tags
https://access.redhat.com/errata/RHSA-2024:11023	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2106	vendor advisory
https://access.redhat.com/errata/RHSA-2024:2705	vendor advisory
https://access.redhat.com/errata/RHSA-2024:3527	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4028	vendor advisory
https://access.redhat.com/errata/RHSA-2024:4873	vendor advisory
https://access.redhat.com/security/cve/CVE-2024-2700	vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2273281	issue tracking

Frequently Asked Questions

What is the severity of CVE-2024-2700?: CVE-2024-2700 has been scored as a high severity vulnerability.
How to fix CVE-2024-2700?: As a workaround for remediating CVE-2024-2700: Currently, no mitigation is available for this vulnerability. Please update as the patches become available.
Is CVE-2024-2700 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-2700 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-2700?: CVE-2024-2700 affects Red Hat HawtIO 4.0.0 for Red Hat build of Apache Camel 4, Red Hat Red Hat AMQ Streams 2.7.0, Red Hat Red Hat build of Apicurio Registry 2.6.1 GA, Red Hat Red Hat build of Quarkus 3.2.12.Final, Red Hat Red Hat build of Quarkus 3.8.4.redhat, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat RHOSS-1.33-RHEL-8, Red Hat Red Hat build of Apache Camel 4 for Quarkus 3, Red Hat Red Hat Build of Keycloak, Red Hat Red Hat build of OptaPlanner 8, Red Hat Red Hat build of Quarkus, Red Hat Red Hat Integration Camel K 1, Red Hat Red Hat Integration Camel Quarkus 2.

Description

Remediation

Category

CWE-526 – Cleartext Storage of Sensitive Information in an Environment Variable

References

Frequently Asked Questions