CVE-2024-23686

DependencyCheck Debug Mode Logging of NVD API Key

CVSS 5.3 MEDIUMEPSS 0.6%CWE-532

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.3EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

19 jan 2024Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Produtos afetados

org.owasp:dependency-check-antorg.owasp:dependency-check-cliorg.owasp:dependency-check-maven

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/advisories/GHSA-qqhq-8r2c-c3f5 https://github.com/jeremylong/DependencyCheck/security/advisories/GHSA-qqhq-8r2c-c3f5 https://vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5