CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
10.6%
A vulnerability was found in the quarkus-core component. Quarkus captures the local environment variables from the Quarkus namespace during the application’s build. Thus, running the resulting application inherits the values captured at build time.
However, some local environment variables may have been set by the developer / CI environment for testing purposes, such as dropping the database during the application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application. It may lead to dangerous behavior if the application does not override these values.
This behavior only happens for configuration properties from the quarkus.*
namespace. So, application-specific properties are not captured.
Vendor | Product | Version | CPE |
---|---|---|---|
io.quarkus | quarkus-core | * | cpe:2.3:a:io.quarkus:quarkus-core:*:*:*:*:*:*:*:* |
access.redhat.com/errata/RHSA-2024:2106
access.redhat.com/errata/RHSA-2024:2705
access.redhat.com/errata/RHSA-2024:3527
access.redhat.com/errata/RHSA-2024:4028
access.redhat.com/errata/RHSA-2024:4873
access.redhat.com/security/cve/CVE-2024-2700
bugzilla.redhat.com/show_bug.cgi?id=2273281
github.com/advisories/GHSA-f8h5-v2vg-46rr
github.com/quarkusio/quarkus/commit/2b24dc8dbc8f390c97428783d67614418676fc2e
github.com/quarkusio/quarkus/commit/91c3a58eaefe59e0afd430653d1636d664bd593f
github.com/quarkusio/quarkus/commit/990c3ee5dd5c689f514e5e87c221bce6d5dff267
github.com/quarkusio/quarkus/issues/39927
nvd.nist.gov/vuln/detail/CVE-2024-2700
quarkus.io/blog/quarkus-3-2-12-final-released
quarkus.io/blog/quarkus-3-8-4-released