CVE-2024-23686: Insertion of Sensitive Information into Log File

January 20, 2024 (updated January 23, 2024)

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

References

github.com/advisories/GHSA-frxm-v7q3-v2wv
github.com/advisories/GHSA-qqhq-8r2c-c3f5
github.com/jeremylong/DependencyCheck/security/advisories/GHSA-qqhq-8r2c-c3f5
nvd.nist.gov/vuln/detail/CVE-2024-23686
vulncheck.com/advisories/vc-advisory-GHSA-qqhq-8r2c-c3f5

Detect and mitigate CVE-2024-23686 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →