3.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-qqhq-8r2c-c3f5

EPSS Score

CWE

CWE-532

Published

12/15/2023

Updated

1/22/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-qqhq-8r2c-c3f5

GHSA-qqhq-8r2c-c3f5: nvdApiKey is logged in debug mode

Summary

The value of nvdApiKey configuration parameter is logged in clear text in debug mode.

Details

The NVD API key is a kind of secret and should be treated like other secrets when logging in debug mode. Expecting the same behavior as for several password configurations: just print ******

Note that while the NVD API Key is an access token for the NVD API - they are not that sensitive. The only thing an NVD API Token grants is a higher rate limit when making calls to publicly available data. The data available from the NVD API is the same whether you have an API Key or not.

PoC

The nvdApiKey is configured to use an environment variable; when running mvn -X dependency-check:check the clear value is logged twice.

Impact

The NVD API key is a kind of secret and should not be exposed. If stolen, an attacker can use this key to obtain already public information.

(GitHub Advisory)

3.3

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-qqhq-8r2c-c3f5

EPSS Score

CWE

CWE-532

Published

12/15/2023

Updated

1/22/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.owasp:dependency-check-ant	maven	>= 9.0.0, <= 9.0.5	9.0.6
org.owasp:dependency-check-cli	maven	>= 9.0.0, <= 9.0.5	9.0.6
org.owasp:dependency-check-maven	maven	>= 9.0.0, < 9.0.6	9.0.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from debug-mode logging of the nvdApiKey without redaction. The affected packages (Maven, Ant, CLI) share a common configuration handling mechanism in the OWASP Dependency-Check core. The DependencyCheckMojo#execute method in the Maven plugin is a known entry point where configuration parameters are processed and logged. The Settings#mergeProperties method (or similar configuration-handling code in the core module) is responsible for loading and logging configuration values across all packages. Since the PoC explicitly references Maven debug logging (mvn -X), these functions are high-confidence candidates for the unredacted logging of the nvdApiKey.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T** v*lu* o* `nv**piK*y` *on*i*ur*tion p*r*m*t*r is lo**** in *l**r t*xt in ***u* mo**. ### **t*ils T** NV* *PI k*y is * kin* o* s**r*t *n* s*oul* ** tr**t** lik* ot**r s**r*ts w**n lo**in* in ***u* mo**. *xp**tin* t** s*m* ****vior *s *

Reasoning

T** vuln*r**ility st*ms *rom ***u*-mo** lo**in* o* t** `nv**piK*y` wit*out r****tion. T** *****t** p**k***s (M*v*n, *nt, *LI) s**r* * *ommon *on*i*ur*tion **n*lin* m****nism in t** OW*SP **p*n**n*y-****k *or*. T** `**p*n**n*y****kMojo#*x**ut*` m*t*o*

3.3

Basic Information

Concerned about an active attack path?

GHSA-qqhq-8r2c-c3f5: nvdApiKey is logged in debug mode

Summary

Details

PoC

Impact

3.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI