PT-2024-28955 · Steeltoe · Steeltoe.Discovery.Eureka
Timhess
·
Published
2024-07-17
·
Updated
2024-07-18
·
CVE-2024-40636
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Steeltoe.Discovery.Eureka versions prior to 3.2.8
Description
The issue concerns credential leakage in logs when utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry. Only the first URL is masked in the error log, potentially exposing credentials of subsequent URLs. The code in question is located in the
DiscoveryClient.cs file.Recommendations
For Steeltoe.Discovery.Eureka versions prior to 3.2.8, update to version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package to address the credential leakage issue. As a temporary workaround, consider restricting log access to minimize the risk of exposed credentials.
Fix
Insertion into Log File
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Steeltoe.Discovery.Eureka