Multiple vulnerabilities in Red Hat build of Quarkus 3.2

Published: 2024-06-18

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2024-2700 CVE-2024-29025
CWE-ID	CWE-312 CWE-200
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Red Hat build of Quarkus Server applications / Other server solutions
Vendor	Red Hat Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Cleartext storage of sensitive information

EUVDB-ID: #VU91686

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-2700

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to cleartext storage of sensitive information in an environment variable. A local user can exploit this vulnerability to obtain local configuration properties information, and use this information to launch further attacks against the affected system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Red Hat build of Quarkus: before 3.2.12

CPE2.3

cpe:2.3:a:red_hat:red_hat_build_of_quarkus:*:*:*:*:*:*:*:*

External links

https://access.redhat.com/errata/RHSA-2024:2705

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU87779

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-29025

CWE-ID: CWE-200 - Information exposure