CVE-2024-9621: Io.quarkiverse.cxf:quarkus-cxf: quarkus cxf may log user password and secret to application log

Description

A vulnerability was found in Quarkus CXF. Passwords and other secrets may appear in the application log in spite of the user configuring them to be hidden. This issue requires some special configuration to be vulnerable, such as SOAP logging enabled, application set client, and endpoint logging properties, and the attacker must have access to the application log.

Classification

CVE ID: CVE-2024-9621

Affected Products

Vendor: Red Hat

Product: Red Hat Build of Apache Camel 4.4 for Quarkus 3.8

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://access.redhat.com/errata/RHSA-2024:10035
https://access.redhat.com/security/cve/CVE-2024-9621
https://bugzilla.redhat.com/show_bug.cgi?id=2317130

Timeline

2024-12-07 00:31:29 UTC
CVE

Io.quarkiverse.cxf:quarkus-cxf: quarkus cxf may log user password and secret to application log