CVE-2023-44483

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
apachesantuario_xml_security_for_java
𝑥
< 2.2.6
apachesantuario_xml_security_for_java
2.3.0 ≤
𝑥
< 2.3.4
apachesantuario_xml_security_for_java
3.0.0 ≤
𝑥
< 3.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxml-security-java
bullseye (security)
vulnerable
bullseye
no-dsa
bookworm
no-dsa
buster
no-dsa
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxml-security-java
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/20/5
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55
http://www.openwall.com/lists/oss-security/2023/10/20/5
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55