Inclusion of Sensitive Information in Log Files in dependency-track - CVE-2022-39351
Published: October 11, 2022 / Updated: April 23, 2026
Vulnerability identifier: #VU127083
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-39351
CWE-ID: CWE-532
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
dependency-track
dependency-track
Software vendor:
DependencyTrack
DependencyTrack
Description
The vulnerability allows a local privileged user to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log files in the authorization filter audit logging functionality when handling API requests with a valid API key that has insufficient permissions. A local privileged user can submit an API request with such an API key to disclose sensitive information.
Audit logs may be written to log files and standard output.
Remediation
Install security update from vendor's website.