Dependency-Track NuGet Credential Disclosure Vulnerability

A vulnerability in Dependency-Track prior to version 4.13.5 allows for the unintentional disclosure of credentials intended for private NuGet repositories. This occurs when the Dependency-Track instance includes .NET components, a custom NuGet repository is set up with authentication, and the repository server fails to provide the 'PackageBaseAddress' resource in its service index. In such cases, Dependency-Track defaults to the public NuGet repository 'api.nuget.org', sending private credentials via the HTTP 'Authorization' header'. Additionally, names and versions of components marked as internal may be disclosed to 'api.nuget.org'.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of private NuGet repository credentials and internal component information to the public NuGet repository 'api.nuget.org'.

Remediation

Users can upgrade to Dependency-Track version 4.13.5, disable custom NuGet repositories until the patch is applied, invalidate previously used credentials, and generate new credentials for use after the patch has been applied.