CVE-2024-23686

DependencyCheck Debug Mode Logging of NVD API Key

CVSS 5.3 MEDIUMEPSS 0.6%CWE-532

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.3EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

19 ene 2024Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Productos afectados

org.owasp:dependency-check-antorg.owasp:dependency-check-cliorg.owasp:dependency-check-maven

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/advisories/GHSA-qqhq-8r2c-c3f5 https://github.com/jeremylong/DependencyCheck/security/advisories/GHSA-qqhq-8r2c-c3f5 https://vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5