CVE-2024-9621 – io.quarkiverse.cxf:quarkus-cxf

Package

Manager: maven
Name: io.quarkiverse.cxf:quarkus-cxf
Vulnerable Version: >=0 <3.15.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00045 pctl0.13374

Details

Quarkus CXF logs passwords and other secrets A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.

Metadata

Created: 2024-10-08T18:33:14Z
Modified: 2024-12-06T12:30:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-jqh2-ch7p-xwxh/GHSA-jqh2-ch7p-xwxh.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-jqh2-ch7p-xwxh
Finding: F100
Auto approve: 1