CVE-2023-44483

EUVD-2023-2836
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 37%
Affected Products (NVD)
VendorProductVersion
apachesantuario_xml_security_for_java
𝑥
< 2.2.6
apachesantuario_xml_security_for_java
2.3.0 ≤
𝑥
< 2.3.4
apachesantuario_xml_security_for_java
3.0.0 ≤
𝑥
< 3.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxml-security-java
bookworm
no-dsa
bullseye
no-dsa
bullseye (security)
vulnerable
buster
no-dsa
sid
vulnerable
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libxml-security-java
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/20/5
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55
http://www.openwall.com/lists/oss-security/2023/10/20/5
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55
https://security.netapp.com/advisory/ntap-20241108-0002/