Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12bWNwLTY2cjUtM3BjcM4AA9-0
Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error
Summary
When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.
Details
Package: Steeltoe.Discovery.Eureka
Package version: 3.2.1
Branch: "release/3.2"
File name: DiscoveryClient.cs
Line number: 325
Code in question: _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());
Error message in logs: FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:[email protected]:443/eureka
I thought new Uri(clientOptions.EurekaServerServiceUrls) would throw a UriFormatException since there are multiple URLs but my logs are showing two URLs regardless.
PoC
- Set Eureka config with multiple server URLs with basic auth
- Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in
FetchFullRegistryAsync. - Check the logs and should see the error
Impact
Vulnerability: Credential leakage in the logs
Who does it impact?: Users who are using peer awareness with Spring Eureka
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12bWNwLTY2cjUtM3BjcM4AA9-0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 2 months ago
Updated: about 2 months ago
CVSS Score: 2.5
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-vmcp-66r5-3pcp, CVE-2024-40636
References:
- https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp
- https://github.com/SteeltoeOSS/Steeltoe/commit/c5d4a94e90ccb77f8e851bc681a2e348a95e7ecb
- https://nvd.nist.gov/vuln/detail/CVE-2024-40636
- https://github.com/advisories/GHSA-vmcp-66r5-3pcp
Blast Radius: 0.8
Affected Packages
nuget:Steeltoe.Discovery.ClientAutofac
Dependent packages: 0Dependent repositories: 2
Downloads: 31,018 total
Affected Version Ranges: <= 2.5.5
No known fixed version
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5
nuget:Steeltoe.Discovery.ClientCore
Dependent packages: 16Dependent repositories: 0
Downloads: 2,036,793 total
Affected Version Ranges: < 3.0.0
No known fixed version
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5
nuget:Steeltoe.Discovery.EurekaBase
Dependent packages: 4Dependent repositories: 0
Downloads: 1,479,239 total
Affected Version Ranges: <= 2.5.5
No known fixed version
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5
nuget:Steeltoe.Discovery.Eureka
Dependent packages: 10Dependent repositories: 0
Downloads: 937,895 total
Affected Version Ranges: <= 3.2.7
Fixed in: 3.2.8
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7
All unaffected versions: 3.2.8