GHSA-qqhq-8r2c-c3f5: 
Java vulnerability analysis and mitigation

DependencyCheck versions 9.0.0 to 9.0.6 for Maven, 9.0.0 to 9.0.5 for CLI, and 9.0.0 to 9.0.5 for Ant contain a security vulnerability when running in debug mode. The vulnerability was discovered and disclosed on December 15, 2023, and was assigned CVE-2024-23686. This issue affects the OWASP DependencyCheck tool across its various implementations (GitHub Advisory).

The vulnerability is classified as CWE-532 (Insertion of Sensitive Information into Log File) with a CVSS v3.1 base score of 5.3 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. When running in debug mode, the application logs the NVD API Key in clear text, exposing sensitive configuration information (NVD).

The exposure of the NVD API Key could allow attackers to access the National Vulnerability Database API with elevated rate limits. However, it's important to note that the NVD API Key only provides access to publicly available data with higher rate limits, and does not grant access to any confidential information (GitHub Advisory).

Users should upgrade to DependencyCheck version 9.0.6 or later, which addresses this vulnerability by masking the NVD API Key in debug logs. For Maven users, the fix is available in version 9.0.6, while CLI and Ant users should upgrade to version 9.0.6 or later (GitHub Advisory).