GHSA-VMCP-66R5-3PCP

Vulnerability from github – Published: 2024-07-17 16:00 – Updated: 2024-07-17 19:13
VLAI?
Summary
Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error
Details

Summary

When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.

Details

Package: Steeltoe.Discovery.Eureka Package version: 3.2.1 Branch: "release/3.2" File name: DiscoveryClient.cs Line number: 325 Code in question: _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());

Error message in logs: FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:password@eureka2.com:443/eureka

I thought new Uri(clientOptions.EurekaServerServiceUrls) would throw a UriFormatException since there are multiple URLs but my logs are showing two URLs regardless.

PoC

  1. Set Eureka config with multiple server URLs with basic auth
  2. Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in FetchFullRegistryAsync.
  3. Check the logs and should see the error

Impact

Vulnerability: Credential leakage in the logs Who does it impact?: Users who are using peer awareness with Spring Eureka

Severity ?
2.5 (Low)
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
2.0 (Low)
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.7"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.Eureka"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.EurekaBase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.0.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.ClientCore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Discovery.ClientAutofac"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.5.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-40636"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-17T16:00:10Z",
    "nvd_published_at": "2024-07-17T18:15:04Z",
    "severity": "LOW"
  },
  "details": "### Summary\nWhen utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.\n\n### Details\nPackage: Steeltoe.Discovery.Eureka\nPackage version: 3.2.1\nBranch: \"release/3.2\"\nFile name: `DiscoveryClient.cs`\nLine number: 325\nCode in question:  `_logger.LogError(e, \"FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}\", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());`\n\n\nError message in logs: `FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:password@eureka2.com:443/eureka`\n\nI thought `new Uri(clientOptions.EurekaServerServiceUrls)` would throw a `UriFormatException` since there are multiple URLs but my logs are showing two URLs regardless.\n\n### PoC\n1. Set Eureka config with multiple server URLs with basic auth\n2. Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in `FetchFullRegistryAsync`.\n3. Check the logs and should see the error \n\n### Impact\nVulnerability: Credential leakage in the logs\nWho does it impact?: Users who are using peer awareness with Spring Eureka",
  "id": "GHSA-vmcp-66r5-3pcp",
  "modified": "2024-07-17T19:13:43Z",
  "published": "2024-07-17T16:00:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-40636"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/c5d4a94e90ccb77f8e851bc681a2e348a95e7ecb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SteeltoeOSS/security-advisories"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.