CVE-2024-40636 (GCVE-0-2024-40636)

Vulnerability from cvelistv5 – Published: 2024-07-17 17:48 – Updated: 2024-08-02 04:33
VLAI?
Title
Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness
Summary
Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is `_logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` in the `DiscoveryClient.cs` file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE
  • CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
Impacted products
Vendor Product Version
SteeltoeOSS security-advisories Affected: < 3.2.8
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:steeltoeoss:discovery:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "discovery",
            "vendor": "steeltoeoss",
            "versions": [
              {
                "lessThan": "3.2.8",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-40636",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-17T18:34:42.919059Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-17T18:39:10.256Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:33:11.743Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "security-advisories",
          "vendor": "SteeltoeOSS",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 3.2.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is  `_logger.LogError(e, \"FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}\", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` in the `DiscoveryClient.cs` file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-17T17:48:26.029Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp"
        }
      ],
      "source": {
        "advisory": "GHSA-vmcp-66r5-3pcp",
        "discovery": "UNKNOWN"
      },
      "title": "Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-40636",
    "datePublished": "2024-07-17T17:48:26.029Z",
    "dateReserved": "2024-07-08T16:13:15.511Z",
    "dateUpdated": "2024-08-02T04:33:11.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-40636",
      "date": "2026-04-28",
      "epss": "0.00064",
      "percentile": "0.19833"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-40636\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-07-17T18:15:04.343\",\"lastModified\":\"2024-11-21T09:31:24.340\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is  `_logger.LogError(e, \\\"FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}\\\", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` in the `DiscoveryClient.cs` file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package.\"},{\"lang\":\"es\",\"value\":\"Steeltoe es un proyecto de c\u00f3digo abierto que proporciona una colecci\u00f3n de librer\u00edas que ayudan a los usuarios a crear aplicaciones nativas de la nube de nivel de producci\u00f3n mediante configuraci\u00f3n externalizada, descubrimiento de servicios, seguimiento distribuido, gesti\u00f3n de aplicaciones y m\u00e1s. Cuando se utilizan varias URL del servicio del servidor Eureka con autenticaci\u00f3n b\u00e1sica y se produce un problema al obtener el registro del servicio, se registra un error con las URL del servicio del servidor Eureka, pero solo se enmascara la primera URL. El c\u00f3digo en cuesti\u00f3n es `_logger.LogError(e, \\\"FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}\\\", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` en el archivo `DiscoveryClient.cs` que puede filtrarse credenciales en registros. Este problema se solucion\u00f3 en la versi\u00f3n 3.2.8 del paquete nuget Steeltoe.Discovery.Eureka.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"references\":[{\"url\":\"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-40636\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-07-17T18:34:42.919059Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:steeltoeoss:discovery:*:*:*:*:*:*:*:*\"], \"vendor\": \"steeltoeoss\", \"product\": \"discovery\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.2.8\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-17T18:39:06.814Z\"}}], \"cna\": {\"title\": \"Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness\", \"source\": {\"advisory\": \"GHSA-vmcp-66r5-3pcp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"SteeltoeOSS\", \"product\": \"security-advisories\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.2.8\"}]}], \"references\": [{\"url\": \"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp\", \"name\": \"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is  `_logger.LogError(e, \\\"FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}\\\", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` in the `DiscoveryClient.cs` file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532: Insertion of Sensitive Information into Log File\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-07-17T17:48:26.029Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-40636\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-17T18:39:10.256Z\", \"dateReserved\": \"2024-07-08T16:13:15.511Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-07-17T17:48:26.029Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.