3 results (0.007 seconds)

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue. Todas las versiones de Apache Santuario - XML Security para Java anteriores a 2.2.6, 2.3.4 y 3.0.3, cuando utilizan la API JSR 105, son vulnerables a un problema en el que se puede revelar una clave privada en los archivos de registro al generar un La firma XML y el registro con nivel de depuración están habilitados. Se recomienda a los usuarios actualizar a la versión 2.2.6, 2.3.4 o 3.0.3, que soluciona este problema. All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.  • http://www.openwall.com/lists/oss-security/2023/10/20/5 https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 https://access.redhat.com/security/cve/CVE-2023-44483 https://bugzilla.redhat.com/show_bug.cgi?id=2246070 • CWE-532: Insertion of Sensitive Information into Log File •

CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. Todas las versiones de Apache Santuario - XML Security for Java anteriores a 2.2.3 y 2.1.7 son vulnerables a un problema donde la propiedad "secureValidation" no es pasada correctamente cuando es creado un KeyInfo a partir de un elemento KeyInfoReference. Esto permite a un atacante abusar de una transformación XPath para extraer cualquier archivo local .xml en un elemento RetrievalMethod • https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59%40%3Cissues.cxf.apache.org%3E https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28%40%3Ccommits.tomee.apache.org%3E https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4% • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0

Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. Apache Santuario XML Security for Java 2.0.x anterior a 2.0.3 permite a atacantes remotos evadir el mecanismo de protección de firmas de transmisión XML a través de un documento XML manipulado. • http://santuario.apache.org/secadv.data/CVE-2014-8152.txt.asc http://seclists.org/oss-sec/2015/q1/181 http://www.securityfocus.com/bid/72115 http://www.securitytracker.com/id/1031556 https://exchange.xforce.ibmcloud.com/vulnerabilities/99993 https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E • CWE-254: 7PK - Security Features •