CVE-2024-23686

2024-01-1922:15:08

CWE-532

[email protected]

web.nvd.nist.gov

cve-2024-23686

dependencycheck

maven

cli

ant

debug mode

nvd

api key

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.1 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.8%

JSON

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

Affected configurations

NVD

Node

owaspdependency-checkRange9.0.0–9.0.5ant

owaspdependency-checkRange9.0.0–9.0.5cli

owaspdependency-checkRange9.0.0–9.0.6maven

CPENameOperatorVersion
owasp:dependency-checkowasp dependency-checkle9.0.5
owasp:dependency-checkowasp dependency-checklt9.0.6

CPE	Name	Operator	Version
owasp:dependency-check	owasp dependency-check	le	9.0.5
owasp:dependency-check	owasp dependency-check	lt	9.0.6

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.owasp:dependency-check-maven",
    "versions": [
      {
        "lessThanOrEqual": "9.0.6",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.owasp:dependency-check-cli",
    "versions": [
      {
        "lessThanOrEqual": "9.0.5",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.owasp:dependency-check-ant",
    "versions": [
      {
        "lessThanOrEqual": "9.0.5",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "maven"
      }
    ]
  }
]