CVE-2024-1979: 
Java vulnerability analysis and mitigation

A vulnerability (CVE-2024-1979) was discovered in Quarkus, affecting the CI process where git credentials could be inadvertently published. The vulnerability was disclosed on March 13, 2024, and was assigned a CVSS v3.1 base score of 3.5 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N (Red Hat CVE).

The vulnerability occurs under specific conditions during the CI process. It affects scenarios where a token is present in the Git URL of the Quarkus project being built, particularly when using extensions that generate Kubernetes descriptors (such as Kubernetes or OpenShift extensions). The issue is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD Database, GitHub Issue).

If exploited, this vulnerability could lead to the exposure of Git credentials, potentially putting the entire Git repository at risk. This is particularly concerning in CI environments where authentication tokens are commonly included in Git URLs (GitHub Issue).

The issue has been addressed in Red Hat build of Quarkus 3.2.11 through RHSA-2024:1662. Users are advised to update to this version or later to mitigate the vulnerability (Red Hat Advisory).