CVE-2024-23686
MEDIUM5.3EPSS 0.65%nvdApiKey is logged in debug mode
描述
### Summary The value of `nvdApiKey` configuration parameter is logged in clear text in debug mode. ### Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print `******` Note that while the NVD API Key is an access token for the NVD API - they are not that sensitive. The only thing an NVD API Token grants is a higher rate limit when making calls to publicly available data. The data available from the NVD API is the same whether you have an API Key or not. ### PoC The nvdApiKey is configured to use an environment variable; when running `mvn -X dependency-check:check` the clear value is logged twice. ### Impact The NVD API key is a kind of secret and should not be exposed. If stolen, an attacker can use this key to obtain already public information.
受影響套件(6)
- Maven/org.owasp:dependency-check-ant>= 9.0.0, < 9.0.6
- Maven/org.owasp:dependency-check-ant>= 9.0.0, < 9.0.6
- Maven/org.owasp:dependency-check-cli>= 9.0.0, < 9.0.6
- Maven/org.owasp:dependency-check-cli>= 9.0.0, < 9.0.6
- Maven/org.owasp:dependency-check-maven>= 9.0.0, < 9.0.6
- Maven/org.owasp:dependency-check-maven>= 9.0.0, < 9.0.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
參考連結(5)
- ADVISORYhttps://github.com/advisories/GHSA-qqhq-8r2c-c3f5
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-23686
- PATCHhttps://github.com/jeremylong/DependencyCheck
- WEBhttps://github.com/jeremylong/DependencyCheck/security/advisories/GHSA-qqhq-8r2c-c3f5
- WEBhttps://vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5