{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1979", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-02-28T17:43:25.030Z", "datePublished": "2024-03-13T09:41:25.039Z", "dateUpdated": "2024-11-06T14:52:02.707Z"}, "containers": {"cna": {"title": "Quarkus: information leak in annotation", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "3.2.11", "versionType": "custom"}], "packageName": "quarkus", "collectionURL": "https://github.com/quarkusio/quarkus/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.2.11.Final", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-kubernetes-deployment", "defaultStatus": "affected", "versions": [{"version": "3.2.11.Final-redhat-00001", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:quarkus:3.2::el8"]}, {"vendor": "Red Hat", "product": "Red Hat build of Quarkus", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "io.quarkus/quarkus-kubernetes-deployment", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:quarkus:2"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1979", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266690", "name": "RHBZ#2266690", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/quarkusio/quarkus/issues/38055"}], "datePublic": "2024-01-05T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "workarounds": [{"lang": "en", "value": "Ensure that at least one of the preconditions is not present in your environment."}], "timeline": [{"lang": "en", "time": "2024-03-04T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-05T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-06T14:52:02.707Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-03T18:24:03.945461Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:25.907Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.962Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1979", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266690", "name": "RHBZ#2266690", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/quarkusio/quarkus/issues/38055", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1979", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266690", "name": "RHBZ#2266690", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://github.com/quarkusio/quarkus/issues/38055", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:56:22.962Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-03T18:24:03.945461Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T15:20:38.826Z"}}], "cna": {"title": "Quarkus: information leak in annotation", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "3.2.11", "versionType": "custom"}], "packageName": "quarkus", "collectionURL": "https://github.com/quarkusio/quarkus/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:quarkus:3.2::el8"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus 3.2.11.Final", "versions": [{"status": "unaffected", "version": "3.2.11.Final-redhat-00001", "lessThan": "*", "versionType": "rpm"}], "packageName": "io.quarkus/quarkus-kubernetes-deployment", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:quarkus:2"], "vendor": "Red Hat", "product": "Red Hat build of Quarkus", "packageName": "io.quarkus/quarkus-kubernetes-deployment", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-03-04T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-05T00:00:00+00:00", "value": "Made public."}], "datePublic": "2024-01-05T00:00:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:1662", "name": "RHSA-2024:1662", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-1979", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266690", "name": "RHBZ#2266690", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/quarkusio/quarkus/issues/38055"}], "workarounds": [{"lang": "en", "value": "Ensure that at least one of the preconditions is not present in your environment."}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-06T14:52:02.707Z"}, "x_redhatCweChain": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}}, "cveMetadata": {"cveId": "CVE-2024-1979", "state": "PUBLISHED", "dateUpdated": "2024-11-06T14:52:02.707Z", "dateReserved": "2024-02-28T17:43:25.030Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-03-13T09:41:25.039Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Quarkus. En ciertas condiciones relacionadas con el proceso de CI, las credenciales de git podr\u00edan publicarse sin darse cuenta, lo que podr\u00eda poner en riesgo el repositorio de git."}], "id": "CVE-2024-1979", "lastModified": "2024-04-03T13:16:01.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-03-13T10:15:08.153", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:1662"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-1979"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266690"}, {"source": "secalert@redhat.com", "url": "https://github.com/quarkusio/quarkus/issues/38055"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:1662", "cpe": "cpe:/a:redhat:quarkus:3.2::el8", "package": "io.quarkus/quarkus-kubernetes-deployment:3.2.11.Final-redhat-00001", "product_name": "Red Hat build of Quarkus 3.2.11.Final", "release_date": "2024-04-03T00:00:00Z"}], "bugzilla": {"description": "quarkus: information leak in annotation", "id": "2266690", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2266690"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.", "A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk."], "mitigation": {"lang": "en:us", "value": "Ensure that at least one of the preconditions is not present in your environment."}, "name": "CVE-2024-1979", "package_state": [{"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Will not fix", "package_name": "io.quarkus/quarkus-kubernetes-deployment", "product_name": "Red Hat build of Quarkus"}], "public_date": "2024-01-05T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-1979\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1979\nhttps://github.com/quarkusio/quarkus/issues/38055"], "statement": "Three conditions are required to enable this vulnerability:\n1) If you are in an environment where you have a token in the Git URL of the Quarkus project you are building\n2) If you build with a Quarkus extension that generates a Kubernetes descriptor (for instance a Kubernetes or OpenShift extension)\n3) If this descriptor is automatically published as a build artifact (such as GitHub Actions artifacts)\nDue to these combined restrictions, which are all beyond an attackers control, there is limited opportunity for exploitation. Therefore, the security impact is rated Moderate.", "threat_severity": "Moderate", "upstream_fix": "quarkus 3.7.3"}