CVE-2024-23686
nvdApiKey is logged in debug mode
Description
### Summary The value of `nvdApiKey` configuration parameter is logged in clear text in debug mode. ### Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print `******` Note that while the NVD API Key is an access token for the NVD API - they are not that sensitive. The only thing an NVD API Token grants is a higher rate limit when making calls to publicly available data. The data available from the NVD API is the same whether you have an API Key or not. ### PoC The nvdApiKey is configured to use an environment variable; when running `mvn -X dependency-check:check` the clear value is logged twice. ### Impact The NVD API key is a kind of secret and should not be exposed. If stolen, an attacker can use this key to obtain already public information.
How to fix CVE-2024-23686
To remediate CVE-2024-23686, upgrade the affected package to a fixed version below.
- —upgrade to 9.0.6 or later
- —upgrade to 9.0.6 or later
- —upgrade to 9.0.6 or later
- —upgrade to 9.0.6 or later
- —upgrade to 9.0.6 or later
- —upgrade to 9.0.6 or later
Is CVE-2024-23686 being exploited?
Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- >= 9.0.0, < 9.0.6
- >= 9.0.0, < 9.0.6
- >= 9.0.0, < 9.0.6
- >= 9.0.0, < 9.0.6
- >= 9.0.0, < 9.0.6
- >= 9.0.0, < 9.0.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |