CVE-2022-39351
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2022-39351
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-39351.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-39351
- Related
- Published
- 2022-10-25T17:15:56Z
- Modified
- 2025-01-08T08:48:03.104225Z
- Severity
-
- 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.
- References
Affected packages
Git / github.com/dependencytrack/dependency-track
Affected ranges
- Type
- GIT
- Repo
- https://github.com/dependencytrack/dependency-track
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
3.*
3.0.0
3.0.1
3.0.3
3.0.4
3.1.0
3.1.1
3.2.0
3.2.1
3.2.2
3.3.0
3.3.1
3.4.0
3.4.1
3.5.0
3.5.1
3.6.0
3.6.1
3.7.0
3.7.1
3.8.0
4.*
4.0.0
4.0.0-SNAPSHOT
4.0.0-beta.1
4.0.0-beta.2
4.0.0-beta.3
4.0.0-beta.4
4.0.0-rc.1
4.0.1
4.1.0
4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.4.0
4.4.1
4.4.2
4.5.0