CVE-2024-2700
April 04, 2024
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the "quarkus.*" namespace. Application-specific properties are not captured.
Affected Packages
io.quarkus:quarkus-core (JAVA):
Affected version(s) >=0.11.0 <3.2.12.FinalFix Suggestion:
Update to version 3.2.12.Finalio.quarkus:quarkus-core (JAVA):
Affected version(s) >=3.9.0.CR1 <3.9.2Fix Suggestion:
Update to version 3.9.2io.quarkus:quarkus-core (JAVA):
Affected version(s) >=3.3.0.CR1 <3.8.4Fix Suggestion:
Update to version 3.8.4Additional Notes
The description of this vulnerability differs from MITRE.
Related Resources (16)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.3
Attack Vector
LOCAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Cleartext Storage of Sensitive Information in an Environment Variable
EPSS
Base Score:
0.04
