Colinfyfe

**Name of the Vulnerable Software and Affected Versions** Dependency-Track versions prior to 4.13.5 **Description** Dependency-Track is a component analysis platform used for managing software supply chain risk. Versions prior to 4.13.5 may inadvertently transmit credentials intended for a private NuGet repository to `api.nuget.org` through the HTTP `Authorization` header. This can also result in the disclosure of names and versions of internally marked components to `api.nuget.org`. This occurs when a Dependency-Track instance includes .NET components, a custom NuGet repository is configured, the repository is configured with authentication credentials, and the repository server does not provide the `PackageBaseAddress` resource in its service index. **Recommendations** Disable custom NuGet repositories until version 4.13.5 is applied. Invalidate previously used credentials. Generate new credentials for use after applying version 4.13.5.