CVE-2024-40636 – steeltoe.discovery.eureka

Package

Manager: nuget
Name: steeltoe.discovery.eureka
Vulnerable Version: >=0 <3.2.8

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00041 pctl0.11229

Details

Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error ### Summary When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. ### Details Package: Steeltoe.Discovery.Eureka Package version: 3.2.1 Branch: "release/3.2" File name: `DiscoveryClient.cs` Line number: 325 Code in question: `_logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` Error message in logs: `FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:password@eureka2.com:443/eureka` I thought `new Uri(clientOptions.EurekaServerServiceUrls)` would throw a `UriFormatException` since there are multiple URLs but my logs are showing two URLs regardless. ### PoC 1. Set Eureka config with multiple server URLs with basic auth 2. Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in `FetchFullRegistryAsync`. 3. Check the logs and should see the error ### Impact Vulnerability: Credential leakage in the logs Who does it impact?: Users who are using peer awareness with Spring Eureka

Metadata

Created: 2024-07-17T16:00:10Z
Modified: 2024-07-17T19:13:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-vmcp-66r5-3pcp/GHSA-vmcp-66r5-3pcp.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-vmcp-66r5-3pcp
Finding: F039
Auto approve: 1