Inclusion of Sensitive Information in Log Files in dependency-track - CVE-2022-39351

 

Inclusion of Sensitive Information in Log Files in dependency-track - CVE-2022-39351

Published: October 11, 2022 / Updated: April 23, 2026


Vulnerability identifier: #VU127083
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-39351
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: DependencyTrack
Affected software:
dependency-track

Detailed vulnerability description

The vulnerability allows a local privileged user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log files in the authorization filter audit logging functionality when handling API requests with a valid API key that has insufficient permissions. A local privileged user can submit an API request with such an API key to disclose sensitive information.

Audit logs may be written to log files and standard output.


How to mitigate CVE-2022-39351

Install security update from vendor's website.

Sources