CVE-2022-39351

Name of the Vulnerable Software and Affected Versions Dependency-Track versions prior to 4.6.0

Description The issue allows actors with access to the audit log to exploit a flaw and gain access to valid API keys. This occurs when an API request is made using a valid API key with insufficient permissions, causing the API key to be written to Dependency-Track's audit log in clear text. It is estimated that a significant number of devices may be affected, although the exact number is not specified. There is no information available about real-world incidents where this issue was exploited.

Recommendations For versions prior to 4.6.0, update to version 4.6.0 or later, where only the last 4 characters of the API key will be logged instead of the entire key. Additionally, it is recommended to check historic logs for occurrences of this behavior and re-generate API keys in case of leakage.