CVE-2024-40636: Steeltoe Leaks Basic Auth Credentials to Logs After Fetch Registry Error

July 17, 2024

When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.

References

github.com/SteeltoeOSS/Steeltoe/commit/c5d4a94e90ccb77f8e851bc681a2e348a95e7ecb
github.com/SteeltoeOSS/security-advisories
github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-vmcp-66r5-3pcp
github.com/advisories/GHSA-vmcp-66r5-3pcp
nvd.nist.gov/vuln/detail/CVE-2024-40636

Code Behaviors & Features

Detect and mitigate CVE-2024-40636 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →