{
  "threat_severity" : "Moderate",
  "public_date" : "2024-01-05T00:00:00Z",
  "bugzilla" : {
    "description" : "quarkus: information leak in annotation",
    "id" : "2266690",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2266690"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk.", "A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk." ],
  "statement" : "Three conditions are required to enable this vulnerability:\n1) If you are in an environment where you have a token in the Git URL of the Quarkus project you are building\n2) If you build with a Quarkus extension that generates a Kubernetes descriptor (for instance a Kubernetes or OpenShift extension)\n3) If this descriptor is automatically published as a build artifact (such as GitHub Actions artifacts)\nDue to these combined restrictions, which are all beyond an attackers control, there is limited opportunity for exploitation. Therefore, the security impact is rated Moderate.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Quarkus 3.2.11.Final",
    "release_date" : "2024-04-03T00:00:00Z",
    "advisory" : "RHSA-2024:1662",
    "cpe" : "cpe:/a:redhat:quarkus:3.2::el8",
    "package" : "io.quarkus/quarkus-kubernetes-deployment:3.2.11.Final-redhat-00001"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat build of Quarkus",
    "fix_state" : "Will not fix",
    "package_name" : "io.quarkus/quarkus-kubernetes-deployment",
    "cpe" : "cpe:/a:redhat:quarkus:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-1979\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-1979\nhttps://github.com/quarkusio/quarkus/issues/38055" ],
  "name" : "CVE-2024-1979",
  "mitigation" : {
    "value" : "Ensure that at least one of the preconditions is not present in your environment.",
    "lang" : "en:us"
  },
  "csaw" : false
}