Dependency-Track Vulnerability

MEDIUM (4.7) Workaround Available
cwe-522authentication-bypassdependency-tracknetnugetvulnerability-disclosure

Threat Intelligence

Low Risk
EPSS Score: 0.06% chance of exploitation (percentile: 18%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Dependency-Track is a component analysis platform that identifies and reduces risk in the software supply chain. It scans for dependencies in .NET applications and reports on potential vulnerabilities. However, prior to version 4.13.5, Dependency-Track may inadvertently disclose sensitive information about internal components or send credentials meant for private NuGet repositories to public servers.

Am I affected?

You're affected if you use Dependency-Track versions prior to 4.13.5. Check with: dependency-track command-line tool --version

Note: This vulnerability is specific to .NET applications and custom NuGet repositories, so if you don't use these, you're likely not affected.

Affected Packages

nuget: DependencyTrack NuGet package (not publicly available)

Affected Products

aEnrich / a+HRD

How to fix

  1. Upgrade to Dependency-Track version 4.13.5 or later from the official GitHub releases page: https://github.com/DependencyTrack/dependency-track/releases/tag/4.13.5
  2. Disable custom NuGet repositories until the patch has been applied.
  3. Invalidate previously used credentials and generate new credentials for usage after the patch has been applied.

References