Impact
All versions of Dependency-Track from version 3.0.0 to 3.5.0. Malicious payloads would need to be crafted and stored by users with the PORTFOLIO_MANAGEMENT permission. Users without this permission would be unable to store malicious payloads but could be affected by data already persisted.
Patches
These issues have been corrected in Dependency-Track v3.5.1 and higher.
Credit
Thanks to 1jesper1 for finding and responsibly disclosing these issues.
| Reported on |
Remediated on |
Turnaround |
| 12 July, 2019 |
17 July, 2019 |
5 days |
1Jesper1 Analyst
Impact
All versions of Dependency-Track from version 3.0.0 to 3.5.0. Malicious payloads would need to be crafted and stored by users with the PORTFOLIO_MANAGEMENT permission. Users without this permission would be unable to store malicious payloads but could be affected by data already persisted.
Patches
These issues have been corrected in Dependency-Track v3.5.1 and higher.
Credit
Thanks to 1jesper1 for finding and responsibly disclosing these issues.