Lucene search

VulnCheckCVE-2024-23686

HistoryJan 19, 2024 - 10:15 p.m.

CVE-2024-23686

2024-01-1922:15:08

CWE-532

VulnCheck

web.nvd.nist.gov

cve-2024-23686

dependencycheck

maven

cli

ant

debug mode

nvd

api key

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

20.6%

JSON

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

Affected configurations

Nvd

Node

owaspdependency-checkRange9.0.0–9.0.5ant

owaspdependency-checkRange9.0.0–9.0.5cli

owaspdependency-checkRange9.0.0–9.0.6maven

VendorProductVersionCPE
owaspdependency-check*cpe:2.3:a:owasp:dependency-check:*:*:*:*:*:ant:*:*
owaspdependency-check*cpe:2.3:a:owasp:dependency-check:*:*:*:*:*:cli:*:*
owaspdependency-check*cpe:2.3:a:owasp:dependency-check:*:*:*:*:*:maven:*:*

Vendor	Product	Version	CPE
owasp	dependency-check	*	cpe:2.3:a:owasp:dependency-check::::::ant::*
owasp	dependency-check	*	cpe:2.3:a:owasp:dependency-check::::::cli::*
owasp	dependency-check	*	cpe:2.3:a:owasp:dependency-check::::::maven::*

CNA Affected

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.owasp:dependency-check-maven",
    "versions": [
      {
        "lessThanOrEqual": "9.0.6",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.owasp:dependency-check-cli",
    "versions": [
      {
        "lessThanOrEqual": "9.0.5",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "maven"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.owasp:dependency-check-ant",
    "versions": [
      {
        "lessThanOrEqual": "9.0.5",
        "status": "affected",
        "version": "9.0.0",
        "versionType": "maven"
      }
    ]
  }
]

References

github.com/advisories/GHSA-qqhq-8r2c-c3f5

github.com/jeremylong/DependencyCheck/security/advisories/GHSA-qqhq-8r2c-c3f5

vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

AI Score

5.1

Confidence

High

EPSS

0.001

Percentile

20.6%

JSON

Related for CVE-2024-23686