Описание
A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.
Отчет
Three conditions are required to enable this vulnerability:
- If you are in an environment where you have a token in the Git URL of the Quarkus project you are building
- If you build with a Quarkus extension that generates a Kubernetes descriptor (for instance a Kubernetes or OpenShift extension)
- If this descriptor is automatically published as a build artifact (such as GitHub Actions artifacts) Due to these combined restrictions, which are all beyond an attackers control, there is limited opportunity for exploitation. Therefore, the security impact is rated Moderate.
Меры по смягчению последствий
Ensure that at least one of the preconditions is not present in your environment.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat build of Quarkus | io.quarkus/quarkus-kubernetes-deployment | Will not fix | ||
| Red Hat build of Quarkus 3.2.11.Final | io.quarkus/quarkus-kubernetes-deployment | Fixed | RHSA-2024:1662 | 03.04.2024 |
Показывать по
10
Дополнительная информация
Статус:
Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2266690quarkus: information leak in annotation
3.5 Low
CVSS3
Связанные уязвимости
CVSS3: 3.5
nvd
почти 2 года назад
A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.
CVSS3: 3.5
github
почти 2 года назад
In Quarkus, git credentials could be inadvertently published
3.5 Low
CVSS3