CVE Client API Key Storage Vulnerability
Vulnerability
A vulnerability exists in the CVE Client's handling of API keys, which are stored in temporary browser client storage. The keys are not adequately protected, allowing for their extraction through the JavaScript console or other error outputs. This issue arises because the API keys are required for every transaction with the cve-services API, and there is currently no middleware to manage sessions or provide CSRF protection.
Impact
Exposed API keys can lead to unauthorized access and actions on behalf of the user or organization associated with the key.
Remediation
Users can update to the latest version of the CVE Client, which includes enhancements for API key storage and encryption key management. Instructions for installation are available in the project's INSTALL.md file.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.