All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2023/10/20/5 | Mailing List Third Party Advisory |
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 | Mailing List Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
27 Oct 2023, 18:49
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CPE | cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:* | |
First Time |
Apache
Apache santuario Xml Security For Java |
|
References | (MISC) https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 - Mailing List, Vendor Advisory | |
References | (MISC) http://www.openwall.com/lists/oss-security/2023/10/20/5 - Mailing List, Third Party Advisory |
20 Oct 2023, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
20 Oct 2023, 11:27
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-10-20 10:15
Updated : 2024-02-28 20:33
NVD link : CVE-2023-44483
Mitre link : CVE-2023-44483
CVE.ORG link : CVE-2023-44483
JSON object : View
Products Affected
apache
- santuario_xml_security_for_java
CWE
CWE-532
Insertion of Sensitive Information into Log File