CVE-2024-23686 – org.owasp:dependency-check-maven

Package

Manager: maven
Name: org.owasp:dependency-check-maven
Vulnerable Version: >=9.0.0 <9.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00529 pctl0.66281

Details

Insertion of Sensitive Information into Log File in OWASP DependencyCheck DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

Metadata

Created: 2024-01-20T00:30:27Z
Modified: 2025-06-17T19:25:05Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-frxm-v7q3-v2wv/GHSA-frxm-v7q3-v2wv.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-frxm-v7q3-v2wv
Finding: F431
Auto approve: 1