CVE-2022-39351

Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions

Severity Score

4.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.

Dependency-Track es una plataforma de análisis de componentes que permite a las organizaciones identificar y reducir el riesgo en la cadena de suministro de software. versiones anteriores a 4.6.0, llevar a cabo una petición de API usando una clave de API válida con permisos insuficientes causa que la clave de API sea escrita en el registro de auditoría de Dependency-Track en texto sin cifrar. Los actores con acceso al registro de auditoría pueden aprovechar este fallo para conseguir acceso a claves de API válidas. El problema ha sido corregido en Dependency-Track versión 4.6.0. En lugar de registrar toda la clave API, sólo serán registrados los últimos 4 caracteres de la clave. Es recomendado encarecidamente comprobar los registros históricos para comprobar si es producido este comportamiento, y volver a generar las claves de API en caso de filtración

*Credits: N/A

CVSS Scores

NISTv3.1 4.4

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-09-02 CVE Reserved
2022-10-25 CVE Published
2024-05-17 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-312: Cleartext Storage of Sensitive Information

CAPEC

References (3)

URL	Tag	Source
https://docs.dependencytrack.org/changelog	Product
https://github.com/DependencyTrack/dependency-track/blob/4.5.0/src/main/docker/logback.xml	Third Party Advisory
https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-gh7v-4hxp-gqp4	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Owasp Search vendor "Owasp"		Dependency-track Search vendor "Owasp" for product "Dependency-track"				< 4.6.0 Search vendor "Owasp" for product "Dependency-track" and version " < 4.6.0"		-		Affected