Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Basic Auth Credential Leakage to Logs After Fetch Registry Error in Steeltoe.Discovery.Eureka with Peer Awareness
Vulnerability Description
Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is `_logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString());` in the `DiscoveryClient.cs` file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
通过日志文件的信息暴露
Vulnerability Title
Steeltoe 安全漏洞
Vulnerability Description
Steeltoe是Steeltoe OSS开源的一个工具。帮助用户使用外部化配置、服务发现、分布式跟踪、应用程序管理等构建生产级云原生应用程序。 Steeltoe存在安全漏洞,该漏洞源于是DiscoveryClient.cs文件中的_logger.LogError可能会将凭据泄露到日志中。
CVSS Information
N/A
Vulnerability Type
N/A