CVE-2024-23686 – DependencyCheck Debug Mode Logging of NVD API Key
https://notcve.org/view.php?id=CVE-2024-23686
DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file. DependencyCheck para Maven 9.0.0 a 9.0.6, para la Interfaz de Línea de Comandos (CLI) versión 9.0.0 a 9.0.5 y para Ant versiones 9.0.0 a 9.0.5, cuando se usa en modo de depuración, permite a un atacante recuperar la clave API NVD de un archivo de registro. • https://github.com/advisories/GHSA-qqhq-8r2c-c3f5 https://github.com/jeremylong/DependencyCheck/security/advisories/GHSA-qqhq-8r2c-c3f5 https://vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2018-12036
https://notcve.org/view.php?id=CVE-2018-12036
OWASP Dependency-Check before 3.2.0 allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames. OWASP Dependency-Check en versiones anteriores a la 3.2.0 permite que los atacantes escriban en archivos arbitrarios mediante un archivo manipulado que tiene nombres de archivo de salto de directorio. • https://github.com/jeremylong/DependencyCheck/blob/master/RELEASE_NOTES.md#version-320-2018-05-21 https://github.com/snyk/zip-slip-vulnerability • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-123: Write-what-where Condition •