Mend User Key
ID |
mend_user_key |
Severity |
high |
Vendor |
Mend |
Family |
Access Key |
Description
Mend (formerly known as WhiteSource) is an AppSec provider.
Mend exposes an api for customers and integrations that uses JWT ephemeral bearer tokens for authentication. The JWT token can be obtained from long-term credentials (an organization’s API key plus a user key).
The API endpoints typically use an ephemeral JWT bearer token, with a short validity (e.g. 30 minutes).
SCA API exposes a /api/login endpoint that uses API Key and User Key to generate the JWT for later calls to the api.
Security
Any hardcoded User key is a potential secret reported by this detector.
If Mend’s long-term credentials are compromised, an attacker could use the API to extract all security findings from Mend products for the organization, which is highly sensitive information.
| For Mend SCA, to gain the ability to impersonate a legitimate user an attacker needs both a valid API Key and User Key. This limits the impact of a unintended leak of a single credential. |
Mitigation / Fix
-
Remove the User key from the source code or committed configuration file.
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s).
-
If under a git repository, you may remove unwanted files from the repository history using tools like
git filter-repoorBFG Repo-Cleaner. You may follow the procedure listed here for GitHub.
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |
-
Check Mend access logs to ensure that the secret was not used by unintended actors during the compromised period.