CVE-2024-40636: 
C# vulnerability analysis and mitigation

Steeltoe is an open source project that provides libraries for building cloud-native applications. A vulnerability was discovered in Steeltoe.Discovery.Eureka where credentials could be leaked into logs when using multiple Eureka server service URLs with basic authentication. The issue affects versions up to and including 3.2.7 and has been fixed in version 3.2.8 (GitHub Advisory).

The vulnerability exists in the DiscoveryClient.cs file where the code _logger.LogError(e, "FetchRegistry Failed for Eureka service urls: {EurekaServerServiceUrls}", new Uri(ClientConfig.EurekaServerServiceUrls).ToMaskedString()); only masks the first URL's credentials while exposing subsequent URLs' basic authentication credentials in plain text. The issue has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

When a fetch registry error occurs, the system logs will contain exposed basic authentication credentials for all Eureka server service URLs except the first one. This primarily affects users who are implementing peer awareness with Spring Eureka, potentially exposing sensitive authentication information in log files (GitHub Advisory).

The vulnerability has been patched in Steeltoe.Discovery.Eureka version 3.2.8. Users are advised to upgrade to this version to prevent credential leakage (GitHub Advisory).