GHSA-qqhq-8r2c-c3f5 – org.owasp:dependency-check-cli

Package

Manager: maven
Name: org.owasp:dependency-check-cli
Vulnerable Version: >=9.0.0 <9.0.6

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

nvdApiKey is logged in debug mode ### Summary The value of `nvdApiKey` configuration parameter is logged in clear text in debug mode. ### Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print `******` Note that while the NVD API Key is an access token for the NVD API - they are not that sensitive. The only thing an NVD API Token grants is a higher rate limit when making calls to publicly available data. The data available from the NVD API is the same whether you have an API Key or not. ### PoC The nvdApiKey is configured to use an environment variable; when running `mvn -X dependency-check:check` the clear value is logged twice. ### Impact The NVD API key is a kind of secret and should not be exposed. If stolen, an attacker can use this key to obtain already public information.

Metadata

Created: 2023-12-15T23:43:30Z
Modified: 2023-12-16T00:51:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-qqhq-8r2c-c3f5/GHSA-qqhq-8r2c-c3f5.json
CWE IDs: ["CWE-532"]
Alternative ID: N/A
Finding: F183
Auto approve: 1