As part of the Dependency-Track security policy, all customer data is encrypted on-disk and in-memory. This encryption protects against data leaks as well as unauthorized access to the system. Actors with access to the system or audit logs can use these to gain access to data and re-create API keys. The issue has been fixed in Dependency-Track 4.6.0. API keys are now stored in an encrypted database as part of the data storage. Access to the data storage is restricted by access control rules, and API keys are only decrypted on the system where they are used. The issue has been fixed in Dependency-Track 4.6.0. API keys are now stored in an encrypted database as part of the data storage. Access to the data storage is restricted by access control rules, and API keys are only decrypted on the system where they are used. Actors with access to the system or audit logs can use these to gain access to data and re-create API keys. The issue has been fixed in Dependency-Track 4.6.0. API keys are now stored in an encrypted database as part of the data storage. Access to the data storage is restricted by access control rules, and API keys are only decrypted on the system where they are used.

Indicators of Compromise

The following hashes are provided as indicators of compromise.

Finding vulnerabilities in Dependency-Track

The vulnerability was found by scanning the Dependency-Track web application for common vulnerabilities such as SQL injection, cross-site scripting (XSS), and XSLT. The vulnerability was not present in these scans.

How to verify the vulnerability?

If you experience an issue where API keys are decrypted on a different system, verify that your keys are stored in the encrypted database.

Timeline

Published on: 10/25/2022 17:15:00 UTC
Last modified on: 10/28/2022 19:24:00 UTC

References