CVE-2022-39351

Published: Oct 25, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

4.4

MEDIUM

Description

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.

Vendor	Product	Versions
DependencyTrack	dependency-track	affected `< 4.6.0`

Weaknesses (CWE)

CWE-312

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://docs.dependencytrack.org/changelog/

https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-gh7v-4hxp-gqp4

https://github.com/DependencyTrack/dependency-track/blob/4.5.0/src/main/docker/logback.xml

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-39351

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References