Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions
Vulnerability Description
Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
敏感数据的明文存储
Vulnerability Title
Dependency-Track 安全漏洞
Vulnerability Description
Dependency-Track是一套用于识别第三方组件风险的智能供应链组件分析平台。 Dependency-Track 4.6.0之前版本存在安全漏洞,该漏洞源于使用权限不足的有效API密钥执行API请求会导致API密钥以明文形式写入Dependency-Track的审核日志,有权访问审计日志的参与者可以利用此漏洞来访问有效的API密钥。
CVSS Information
N/A
Vulnerability Type
N/A