Dependency Track

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:owasp:dependency-track:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorOwasp (b778b703-6f88-5eeb-b966-330b456a6d00)
ProductDependency Track (ac48a7ae-3ac2-5b93-add1-68faa764def5)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:github/dependencytrack/dependency-track purl2cpe 2026-06-01 10:12:06.963817

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2022-39351 vulnerable 2026-06-03 14:47:51.528220 Dependency-Track vulnerable to logging of API keys in clear text when handling API requests using keys with insufficient permissions
MEDIUM (4.4)
Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Prior to version 4.6.0, performing an API request using a valid API key with insufficient permissions causes the API key to be written to Dependency-Track's audit log in clear text. Actors with access to the audit log can exploit this flaw to gain access to valid API keys. The issue has been fixed in Dependency-Track 4.6.0. Instead of logging the entire API key, only the last 4 characters of the key will be logged. It is strongly recommended to check historic logs for occurrences of this behavior, and re-generating API keys in case of leakage.
Published: 2022-10-25T00:00:00.000Z
Updated: 2025-04-23T16:43:44.094Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2019-1020007 vulnerable 2026-06-03 14:39:21.090308 Details available
Dependency-Track before 3.5.1 allows XSS.
Published: 2019-07-29T14:18:52.000Z
Updated: 2024-08-05T03:14:15.264Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.