Quarkus is a popular Java framework for building cloud-native applications. But in early 2024, a serious flaw—CVE-2024-1979—was discovered. Under specific circumstances during Continuous Integration (CI) pipelines, Quarkus could accidentally expose sensitive git credentials, putting whole repositories at risk. In this post, I’ll break down how this vulnerability works, walk you through a code example, and show you a simple PoC exploit.
What Is CVE-2024-1979?
CVE-2024-1979 is an information disclosure bug in (prepatched) versions of Quarkus. In particular, when using Quarkus’ automated code generation and CI support features, there is a risk that sensitive information—such as git credentials (tokens, usernames, passwords) stored inside local .git-credentials or similar configuration files—could get accidentally published.
Quarkus’ CI features sometimes include copies of local files in logs or artifacts. If not properly filtered, these files might contain secrets.
Original advisory:
- GitHub Security Advisory for Quarkus
- CVE record
How the Vulnerability Works
Imagine you have your git credentials saved so CI jobs can check out code. When you build or scaffold a new Quarkus project in CI, some processes might read all configuration files into build reports, logs, or build artifacts for debugging.
If the .git-credentials file (or an environment variable holding sensitive data) ends up in those build logs or output artifacts, anyone with access to those logs can retrieve your secrets.
Affected Versions
Check the Quarkus security advisory for precise details, but generally, Quarkus versions before 3.8.2 are vulnerable.
Proof-of-Concept Exploit (Code Sample)
Here’s how someone could reproduce (and possibly abuse) the bug in a simple CI scenario.
On a CI host, ~/.git-credentials might look like
https://username:supersecrettoken@github.com
In your Jenkinsfile, GitHub Actions, or similar
name: Quarkus Build
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Build Quarkus project (simulated vulnerable step)
run: |
# Quarkus scaffolding step
quarkus create app my.group:my-app
# Accidentally log all files including .git-credentials
echo "Dumping home directory:"
ls -la ~/
echo "Dumping .git-credentials content:"
cat ~/.git-credentials
# In real exploit, Quarkus build tools might dump this by mistake
This step is equivalent to what a vulnerable script could do automatically if debug output or logs were not filtered correctly.
A user with access to the build logs or artifacts could now view
Dumping .git-credentials content:
https://username:supersecrettoken@github.com
They can then impersonate the developer or CI bot.
How to Fix and Protect Yourself
Official Fix:
Upgrade to Quarkus 3.8.2 or later. The fix ensures that code generation and build outputs will never include sensitive files by default.
✅ Remove .git-credentials after checkout if not needed.
- ✅ Limit artifact/log access to trusted users.
- ✅ Use CI secret scanning to catch leaks.
Example: Prevent Logging of Sensitive Files
# Instead of blindly dumping all files, explicitly whitelist
ls -la ~/ | grep -v '.git-credentials'
Or, in Quarkus build steps, avoid increasing verbosity unnecessarily.
Further Reading
- NVD CVE-2024-1979
- GitHub Security Advisory for Quarkus
- How to manage git credentials securely
- GitHub Actions Security Best Practices
Final Thoughts
CVE-2024-1979 is a strong reminder that sensitive data often hides in plain sight—and with powerful automation, those secrets can escape into unexpected places. Always watch your build outputs, use the latest frameworks, and scan your CI logs for secrets. Stay safe!
If you run Quarkus in CI, update now—don’t wait for someone else to find your leaked credentials.
*This article is original and designed to give you both context and a practical demonstration so you can understand and defend against similar CI supply chain risks.*
Timeline
Published on: 03/13/2024 10:15:08 UTC
Last modified on: 04/03/2024 13:16:01 UTC