Lucene search

GitHub Advisory DatabaseGHSA-FRXM-V7Q3-V2WV

HistoryJan 20, 2024 - 12:30 a.m.

Insertion of Sensitive Information into Log File in OWASP DependencyCheck

2024-01-2000:30:27

CWE-532

GitHub Advisory Database

github.com

owasp

dependencycheck

maven

cli

ant

sensitive information

log file

nvd api key

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.8%

JSON

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

Affected configurations

Vulners

Node

owaspdependency-checkRange<9.0.6maven

owaspdependency-checkRange<9.0.6cli

owaspdependency-checkRange<9.0.6ant

CPENameOperatorVersion
org.owasp:dependency-check-mavenlt9.0.6
org.owasp:dependency-check-clilt9.0.6
org.owasp:dependency-check-antlt9.0.6

Name	Operator	Version
org.owasp:dependency-check-maven	lt	9.0.6
org.owasp:dependency-check-cli	lt	9.0.6
org.owasp:dependency-check-ant	lt	9.0.6

References

github.com/advisories/GHSA-frxm-v7q3-v2wv

github.com/advisories/GHSA-qqhq-8r2c-c3f5

github.com/jeremylong/DependencyCheck/security/advisories/GHSA-qqhq-8r2c-c3f5

nvd.nist.gov/vuln/detail/CVE-2024-23686

vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

20.8%

JSON

Related for GHSA-FRXM-V7Q3-V2WV