VYPR
Medium severity5.3GHSA Advisory· Published Jul 17, 2024· Updated Apr 15, 2026

CVE-2024-40636

CVE-2024-40636

Description

Steeltoe is an open source project that provides a collection of libraries that helps users build production-grade cloud-native applications using externalized configuration, service discovery, distributed tracing, application management, and more. When utilizing multiple Eureka server service URLs with basic auth and encountering an issue with fetching the service registry, an error is logged with the Eureka server service URLs but only the first URL is masked. The code in question is _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString()); in the DiscoveryClient.cs file which may leak credentials into logs. This issue has been addressed in version 3.2.8 of the Steeltoe.Discovery.Eureka nuget package.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Steeltoe.Discovery.EurekaNuGet
< 3.2.83.2.8
Steeltoe.Discovery.EurekaBaseNuGet
<= 2.5.5
Steeltoe.Discovery.ClientCoreNuGet
>= 0
Steeltoe.Discovery.ClientAutofacNuGet
<= 2.5.5

Affected products

5

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.