CVE-2022-39351 MEDIUM

CVE-2022-39351: Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions

Vendor Dependencytrack
Product dependency-track
Weakness CWE-312 · Cleartext storage
Published October 25, 2022
Last update April 23, 2025

CVSS base score

4.4/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.

Key dates

02Disclosure timeline

October 25, 2022 CVE published
April 23, 2025 Record updated