GHSA-vmcp-66r5-3pcp

Suggest an improvement
Source
https://github.com/advisories/GHSA-vmcp-66r5-3pcp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-vmcp-66r5-3pcp/GHSA-vmcp-66r5-3pcp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vmcp-66r5-3pcp
Aliases
  • CVE-2024-40636
Published
2024-07-17T16:00:10Z
Modified
2024-07-17T19:20:40.164075Z
Severity
  • 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 2.0 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error
Details

Summary

When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.

Details

Package: Steeltoe.Discovery.Eureka Package version: 3.2.1 Branch: "release/3.2" File name: DiscoveryClient.cs Line number: 325 Code in question: _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());

Error message in logs: FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:password@eureka2.com:443/eureka

I thought new Uri(clientOptions.EurekaServerServiceUrls) would throw a UriFormatException since there are multiple URLs but my logs are showing two URLs regardless.

PoC

  1. Set Eureka config with multiple server URLs with basic auth
  2. Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in FetchFullRegistryAsync.
  3. Check the logs and should see the error

Impact

Vulnerability: Credential leakage in the logs Who does it impact?: Users who are using peer awareness with Spring Eureka

Database specific
{
    "nvd_published_at": "2024-07-17T18:15:04Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-17T16:00:10Z"
}
References

Affected packages

NuGet / Steeltoe.Discovery.Eureka

Package

Name
Steeltoe.Discovery.Eureka
View open source insights on deps.dev
Purl
pkg:nuget/Steeltoe.Discovery.Eureka

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.8

Affected versions

3.*

3.0.0-rc1
3.0.0
3.0.1
3.0.2
3.1.0-rc1
3.1.0-rc2
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0-rc1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7

Database specific

{
    "last_known_affected_version_range": "<= 3.2.7"
}

NuGet / Steeltoe.Discovery.EurekaBase

Package

Name
Steeltoe.Discovery.EurekaBase
View open source insights on deps.dev
Purl
pkg:nuget/Steeltoe.Discovery.EurekaBase

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.5.5

Affected versions

2.*

2.0.0
2.0.1
2.1.0-rc1
2.1.0
2.1.1
2.2.0-rc1
2.2.0-rc2
2.2.0
2.3.0-rc1
2.3.0-rc2
2.3.0
2.4.0-rc1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5

NuGet / Steeltoe.Discovery.ClientCore

Package

Name
Steeltoe.Discovery.ClientCore
View open source insights on deps.dev
Purl
pkg:nuget/Steeltoe.Discovery.ClientCore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.0.0-rc1
2.0.0
2.0.1
2.1.0-rc1
2.1.0
2.1.1
2.2.0-rc1
2.2.0-rc2
2.2.0
2.3.0-rc1
2.3.0-rc2
2.3.0
2.4.0-rc1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5

3.*

3.0.0-m1
3.0.0-m2
3.0.0-m3
3.0.0-rc1
3.0.0
3.0.1
3.0.2
3.1.0-rc1
3.1.0-rc2
3.1.0
3.1.1
3.1.2
3.1.3
3.2.0-rc1
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8

Database specific

{
    "last_known_affected_version_range": "< 3.0.0"
}

NuGet / Steeltoe.Discovery.ClientAutofac

Package

Name
Steeltoe.Discovery.ClientAutofac
View open source insights on deps.dev
Purl
pkg:nuget/Steeltoe.Discovery.ClientAutofac

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.5.5

Affected versions

2.*

2.0.0-rc1
2.0.0
2.0.1
2.1.0-rc1
2.1.0
2.1.1
2.2.0-rc1
2.2.0-rc2
2.2.0
2.3.0-rc1
2.3.0-rc2
2.3.0
2.4.0-rc1
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5