Lucene search

K
cvelistApacheCVELIST:CVE-2023-44483
HistoryOct 20, 2023 - 9:23 a.m.

CVE-2023-44483 Apache Santuario: Private Key disclosure in debug-log output

2023-10-2009:23:53
CWE-532
apache
www.cve.org
3
apache santuario
xml security
java
private key disclosure
debug-log
vulnerability
version upgrade

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

38.7%

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.ย Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Santuario",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "2.2.6",
        "status": "affected",
        "version": "2.2",
        "versionType": "semver"
      },
      {
        "lessThan": "2.3.4",
        "status": "affected",
        "version": "2.3",
        "versionType": "semver"
      },
      {
        "lessThan": "3.0.3",
        "status": "affected",
        "version": "3.0",
        "versionType": "semver"
      }
    ]
  }
]

AI Score

6.9

Confidence

High

EPSS

0.001

Percentile

38.7%