Advisories for Maven/Org.owasp/Dependency-Check-Maven package

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

Summary The value of nvdApiKey configuration parameter is logged in clear text in debug mode. Details The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print ****** Note that while the NVD API Key is an access token for the NVD API - they are not that sensitive. …

OWASP Dependency-Check allows attackers to write to arbitrary files via a crafted archive that holds directory traversal filenames.