#VU91686 Cleartext storage of sensitive information in Quarkus


Published: 2024-06-11

Vulnerability identifier: #VU91686

Vulnerability risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-2700

CWE-ID: CWE-312

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Quarkus
Server applications / Frameworks for developing and running applications

Vendor:

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to cleartext storage of sensitive information in an environment variable. A local user can exploit this vulnerability to obtain local configuration properties information, and use this information to launch further attacks against the affected system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://access.redhat.com/security/cve/CVE-2024-2700
http://bugzilla.redhat.com/show_bug.cgi?id=2273281
http://access.redhat.com/errata/RHSA-2024:2705
http://access.redhat.com/errata/RHSA-2024:3527

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cloud Pak for Business Automation
Multiple vulnerabilities in IBM Event Endpoint Management
Multiple vulnerabilities in Red Hat OpenShift Serverless 1.33
Multiple vulnerabilities in AMQ Streams 2.7
Multiple vulnerabilities in Red Hat Integration Camel Extensions for Quarkus 3.2.12
Multiple vulnerabilities in Red Hat build of Quarkus 3.8
Multiple vulnerabilities in Red Hat build of Quarkus 3.2
Multiple vulnerabilities in IBM Business Automation Insights
Multiple vulnerabilities in IBM Cloud Pak for Business Automation