CVE-2024-23686

Name of the Vulnerable Software and Affected Versions DependencyCheck for Maven versions 9.0.0 through 9.0.6 DependencyCheck for CLI versions 9.0.0 through 9.0.5 DependencyCheck for Ant versions 9.0.0 through 9.0.5

Description The issue allows an attacker to recover the NVD API Key from a log file when DependencyCheck is used in debug mode. The nvdApiKey configuration parameter value is logged in clear text. Although the NVD API key is not highly sensitive, as it only grants a higher rate limit for publicly available data, it should still be treated as a secret and not exposed. If stolen, an attacker can use this key to obtain already public information.

Recommendations For DependencyCheck for Maven versions 9.0.0 through 9.0.6, consider disabling debug mode until a patch is available to prevent the NVD API Key from being logged in clear text. For DependencyCheck for CLI versions 9.0.0 through 9.0.5, consider disabling debug mode until a patch is available to prevent the NVD API Key from being logged in clear text. For DependencyCheck for Ant versions 9.0.0 through 9.0.5, consider disabling debug mode until a patch is available to prevent the NVD API Key from being logged in clear text. As a temporary workaround, consider configuring the nvdApiKey to use a secure method that does not log the key in clear text.