CVE-2024-1979: Quarkus Vulnerability Leads to Inadvertent Git Credential Exposure in CI Process

A newly discovered vulnerability, CVE-2024-1979, affects Quarkus, a popular Kubernetes Native Java development framework. This vulnerability exposes git credentials during certain conditions in the CI (Continuous Integration) process. Due to this, unauthorized access to the git repository may be granted, putting the entire development project at risk. In this post, we'll deep dive into the technical details behind this vulnerability, exploring the affected environment, the means of exploitation, as well as potential prevention methods.

Vulnerability Details

The DefaultCredentialsProvider component of Quarkus does not handle the CI process and git credentials correctly. In some specific circumstances, these git credentials may leak to the build logs or be inadvertently published along with the application. This vulnerability can only be exploited with local file access, and attackers must possess access to the affected CI/CD environment.

Here is a code snippet that demonstrates the potential leak in Quarkus using its configuration API

@Path("/credentials")
public class CredentialsResource {

    @ConfigProperty(name = "quarkus.git.oauth_token")
    String gitOAuthToken;

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String exposeCredentials() {
        return gitOAuthToken;
    }
    
}

As seen above, the Quarkus application is configured to use the quarkus.git.oauth_token configuration property, which contains sensitive git credentials. The vulnerable code allows these credentials to be exposed when there are requests made to the /credentials endpoint.

The National Vulnerability Database has assigned CVE-2024-1979 a 4.8 severity rating, which denotes a moderate risk level.

Quarkus versions before 1.13.2.Final

- CI/CD environments making use of vulnerable versions of Quarkus

1. Official Quarkus GitHub repository: https://github.com/quarkusio/quarkus
2. The CVE advisory from the National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-1979
3. Quarkus Official Documentation: https://quarkus.io/guides

Exploit Details

Exploiting CVE-2024-1979 requires local access to the potentially affected Quarkus applications and environment. The attacker would need to look for build logs or the published applications exposed via vulnerable endpoints such as /credentials detailed in the code snippet earlier. Upon obtaining the git credentials, attackers can access the git repository and tamper with the code, exfiltrate the data or use the obtained access for other malicious purposes.

Mitigation and Prevention

The recommended solution to this vulnerability is to update your Quarkus application to the latest version (1.13.2.Final or newer). This can be done by updating the Quarkus dependency in your pom.xml or build.gradle file.

Avoid hardcoding sensitive credentials within the application code.

2. Utilize environment variables or configuration files that are not committed to the git repository to store sensitive data.
3. Monitor and review the CI/CD build logs and published applications for any signs of unintended credential exposure.
4. Implement proper access control and limit the number of users who have access to the CI/CD environment.

Conclusion

CVE-2024-1979 highlights the importance of reviewing and monitoring your CI/CD environment, ensuring that sensitive information is neither leaked nor exposed during the build process. By updating Quarkus to the latest version and adhering to best practices, you help minimize the risk posed by this vulnerability and protect your project and its valuable data.

Timeline

Published on: 03/13/2024 10:15:08 UTC
Last modified on: 04/03/2024 13:16:01 UTC