Skip to content

Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness

Low
TimHess published GHSA-vmcp-66r5-3pcp Jul 17, 2024

Package

nuget Steeltoe.Discovery.ClientAutofac (NuGet)

Affected versions

<= 2.5.5

Patched versions

None
nuget Steeltoe.Discovery.ClientCore (NuGet)
< 3.0.0
None
nuget Steeltoe.Discovery.Eureka (NuGet)
<= 3.2.7
3.2.8
nuget Steeltoe.Discovery.EurekaBase (NuGet)
<= 2.5.5
None

Description

Summary

When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked.

Details

Package: Steeltoe.Discovery.Eureka
Package version: 3.2.1
Branch: "release/3.2"
File name: DiscoveryClient.cs
Line number: 325
Code in question: _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());

Error message in logs: FetchRegistry Failed for Eureka service urls: https://****:****@eureka1.com:443/eureka,https://user:[email protected]:443/eureka

I thought new Uri(clientOptions.EurekaServerServiceUrls) would throw a UriFormatException since there are multiple URLs but my logs are showing two URLs regardless.

PoC

  1. Set Eureka config with multiple server URLs with basic auth
  2. Apologies for not being more descriptive for this step, but I believe we would just need to trigger an exception in FetchFullRegistryAsync.
  3. Check the logs and should see the error

Impact

Vulnerability: Credential leakage in the logs
Who does it impact?: Users who are using peer awareness with Spring Eureka

Severity

Low

CVE ID

CVE-2024-40636

Weaknesses

No CWEs