How severe is CVE-2024-40636?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2024-40636?

This is classified as CWE-532, which is a common weakness in software security.

CVE-2024-40636 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is `_logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` in the `DiscoveryClient.cs` file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package.

Related Vulnerabilities

CVE-2015-1343

MEDIUM

CVSS:5.3(Medium)

All versions of unity-scope-gdrive logs search terms to syslog.

CWE-5322015

CVE-2017-1198

MEDIUM

CVSS:5.3(Medium)

IBM BigFix Compliance 1.7 through 1.9.91 (TEMA SUAv1 SCA SCM) stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs vi...

CWE-5322017

CVE-2017-17675

MEDIUM

CVSS:5.3(Medium)

BMC Remedy Mid Tier 9.1SP3 is affected by log hijacking. Remote logging can be accessed by unauthenticated users, allowing for an attacker to hijack the system logs. This data can include user names a...

CWE-5322017

CVE-2018-10889

MEDIUM

CVSS:5.3(Medium)

A flaw was found in moodle before versions 3.5.1, 3.4.4, 3.3.7. No option existed to omit logs from data privacy exports, which may contain details of other users who interacted with the requester.

CWE-5322018

CVE-2018-1349

MEDIUM

CVSS:5.3(Medium)

The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system or configuration enumeration.

CWE-5322018

CVE-2018-1350

MEDIUM

CVSS:5.3(Medium)

The NetIQ Identity Manager driver log file, in versions prior to 4.7, provides details that could aid in system enumeration.

CWE-5322018