CVE-2024-23686: 
Java vulnerability analysis and mitigation

DependencyCheck versions 9.0.0 to 9.0.6 for Maven, 9.0.0 to 9.0.5 for CLI, and 9.0.0 to 9.0.5 for Ant contain a security vulnerability when running in debug mode that exposes the NVD API Key in log files. The vulnerability was discovered and published on December 15, 2023, with updates released on January 22, 2024 (GitHub Advisory).

The vulnerability occurs when the application is run in debug mode, where the nvdApiKey configuration parameter is logged in clear text instead of being masked like other sensitive information. The issue has been assigned a CVSS v3.1 base score of 3.3 (Low severity) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-532 and requires local access with low attack complexity and low privileges to exploit (GitHub Advisory).

The exposure of the NVD API Key, while considered a security concern, has limited impact. The key only provides elevated rate limits for accessing publicly available NVD data. An attacker who obtains the key would only gain the ability to make API calls at a higher rate limit, but would not gain access to any additional or sensitive data beyond what is already publicly available (GitHub Advisory).

The vulnerability has been patched in version 9.0.6 for all affected components (Maven, CLI, and Ant). Users are advised to upgrade to this version to address the issue. The fix ensures that the NVD API Key is properly masked in debug logs, similar to how other sensitive configuration parameters are handled (GitHub Advisory).