CNNVD-202510-899 Information

CNNVD ID

CNNVD-202510-899

Related CVE

CVE-2025-61776

• CNNVD Published: 2025-10-07

Description (Chinese)

Dependency-Track是Dependency-Track开源的一套用于识别第三方组件风险的智能供应链组件分析平台。 Dependency-Track 4.13.5之前版本存在安全漏洞，该漏洞源于可能将私有NuGet仓库凭据发送至api.nuget.org，并可能泄露标记为内部组件的名称和版本。

Description (English)

Decendency-Track is a set of smart supply chain component analysis platforms for identifying third-party component risks from the Decendency-Track open source. Pre-Dependency-Track 4.13.5 contains a security loophole, which stems from the possibility of sending a certificate from the private NuGet warehouse to api.nuget.org and of leaking the name and version of the internal component marked.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

Dependency-Track

Published

2025-10-07

Last Modified

2026-02-24

References

https://github.com/DependencyTrack/dependency-track/releases/tag/4.13.5 https://github.com/DependencyTrack/dependency-track/security/advisories/GHSA-83g2-vgqh-mgxc https://access.redhat.com/security/cve/cve-2025-61776

Patch

https://dependencytrack.org/