CVE-2023-44483

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/10/20/5	Mailing List Third Party Advisory
https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:santuario_xml_security_for_java::::::::
	cpe:2.3:a:apache:santuario_xml_security_for_java::::::::
	cpe:2.3:a:apache:santuario_xml_security_for_java::::::::

History

27 Oct 2023, 18:49

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:santuario_xml_security_for_java::::::::
First Time		Apache Apache santuario Xml Security For Java
References	~~(MISC) https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 -~~	(MISC) https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 - Mailing List, Vendor Advisory
References	~~(MISC) http://www.openwall.com/lists/oss-security/2023/10/20/5 -~~	(MISC) http://www.openwall.com/lists/oss-security/2023/10/20/5 - Mailing List, Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

20 Oct 2023, 15:15

Type	Values Removed	Values Added
References		(MISC) http://www.openwall.com/lists/oss-security/2023/10/20/5 -

20 Oct 2023, 11:27

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-10-20 10:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-44483

Mitre link : CVE-2023-44483

CVE.ORG link : CVE-2023-44483

JSON object : View

Products Affected

apache

santuario_xml_security_for_java

CWE

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2023-44483", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-10-20T10:15:12.933", "references": [{"url": "http://www.openwall.com/lists/oss-security/2023/10/20/5", "tags": ["Mailing List", "Third Party Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.\u00a0Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.\n"}, {"lang": "es", "value": "Todas las versiones de Apache Santuario - XML Security para Java anteriores a 2.2.6, 2.3.4 y 3.0.3, cuando utilizan la API JSR 105, son vulnerables a un problema en el que se puede revelar una clave privada en los archivos de registro al generar un La firma XML y el registro con nivel de depuraci\u00f3n est\u00e1n habilitados. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.2.6, 2.3.4 o 3.0.3, que soluciona este problema."}], "lastModified": "2023-10-27T18:49:49.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "072EA1B9-C0F1-41FC-97B6-6EDA8B7A4A73", "versionEndExcluding": "2.2.6"}, {"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD7B2204-670A-4C24-9A8C-C0445F97ADA1", "versionEndExcluding": "2.3.4", "versionStartIncluding": "2.3.0"}, {"criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C09892DB-35BF-41E0-811C-810B8753325C", "versionEndExcluding": "3.0.3", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}