CVE-2023-44483

2023-10-2010:15:12

Debian Security Bug Tracker

security-tracker.debian.org

cve-2023-44483

apache santuario

xml security

java

jsr 105 api

private key disclosure

log files

debug level

upgrade

unix

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.8%

JSON

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

OSVersionArchitecturePackageVersionFilename
Debian12alllibxml-security-java<= 2.1.7-3libxml-security-java_2.1.7-3_all.deb
Debian11alllibxml-security-java<= 2.0.10-2+deb11u1libxml-security-java_2.0.10-2+deb11u1_all.deb
Debian10alllibxml-security-java<= 2.0.10-2+deb10u1libxml-security-java_2.0.10-2+deb10u1_all.deb
Debian999alllibxml-security-java<= 2.1.8-1libxml-security-java_2.1.8-1_all.deb
Debian13alllibxml-security-java<= 2.1.8-1libxml-security-java_2.1.8-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	libxml-security-java	<= 2.1.7-3	libxml-security-java_2.1.7-3_all.deb
Debian	11	all	libxml-security-java	<= 2.0.10-2+deb11u1	libxml-security-java_2.0.10-2+deb11u1_all.deb
Debian	10	all	libxml-security-java	<= 2.0.10-2+deb10u1	libxml-security-java_2.0.10-2+deb10u1_all.deb
Debian	999	all	libxml-security-java	<= 2.1.8-1	libxml-security-java_2.1.8-1_all.deb
Debian	13	all	libxml-security-java	<= 2.1.8-1	libxml-security-java_2.1.8-1_all.deb