Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qcWgyLWNoN3AteHd4aM4ABADo

Quarkus CXF logs passwords and other secrets

A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.

Permalink: https://github.com/advisories/GHSA-jqh2-ch7p-xwxh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcWgyLWNoN3AteHd4aM4ABADo
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: 15 days ago


CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Percentage: 0.00045
EPSS Percentile: 0.1735

Identifiers: GHSA-jqh2-ch7p-xwxh, CVE-2024-9621
References: Repository: https://github.com/quarkiverse/quarkus-cxf
Blast Radius: 7.5

Affected Packages

maven:io.quarkiverse.cxf:quarkus-cxf
Dependent packages: 20
Dependent repositories: 26
Downloads:
Affected Version Ranges: < 3.15.2
Fixed in: 3.15.2
All affected versions: 0.1.0, 0.1.1, 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.13.1, 0.14.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.5.9, 1.5.10, 1.5.11, 1.5.12, 1.5.13, 1.5.14, 1.5.15, 1.5.16, 1.5.17, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1, 3.8.0, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.9.0, 3.10.0, 3.11.0, 3.11.1, 3.12.0, 3.13.0, 3.13.1, 3.14.0, 3.15.0, 3.15.1
All unaffected versions: 3.15.2, 3.15.3, 3.16.0, 3.16.1