Description

Performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text.

For example, the following request:

curl -H 'X-Api-Key: WKX2dQgrvUxrRP88f6EMovfrBOWzQkhG' https://dtrack.example.com/api/v1/team

would cause the following log message:

INFO [AuthorizationFilter] Unauthorized access attempt made by API Key WKX2dQgrvUxrRP88f6EMovfrBOWzQkhG to https://dtrack.example.com/api/v1/team

if the provided API key would be missing the ACCESS_MANAGEMENT permission.

As per the default logging configuration, audit logs are written to:

• ~/.dependency-track/dependency-track.log
• ~/.dependency-track/dependency-track-audit.log
• Standard Output

Note:
For the official container images, the user's home directory (~) is set to /data

Impact

Actors with access to the audit log can exploit this flaw to gain access to valid API keys.

CVSS v3.1 Vector: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v3.1 Score: 4.4

Patches

The issue has been fixed in Dependency-Track 4.6.0.

Instead of logging the entire API key, only the last 4 characters of the key will be logged.

It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.

Credit

Thanks to GitHub user elastic-pangolin for finding and responsibly disclosing the issue.