CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-44483 – Apache Santuario: Private Key disclosure in debug-log output
https://notcve.org/view.php?id=CVE-2023-44483
20 Oct 2023 — All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue. Todas las versiones de Apache Santuario - XML Security para Java anteriores a 2.2.6, 2.3.4 y 3.0.3, cuando utilizan la API JSR 105, son vulnerables a ... • http://www.openwall.com/lists/oss-security/2023/10/20/5 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2021-40690 – Bypass of the secureValidation property
https://notcve.org/view.php?id=CVE-2021-40690
19 Sep 2021 — All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element. Todas las versiones de Apache Santuario - XML Security for Java anteriores a 2.2.3 y 2.1.7 son vulnerables a un problema donde la propiedad "secureValidation" no es pasad... • https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa%40%3Ccommits.tomee.apache.org%3E • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 3%CPEs: 3EXPL: 0CVE-2014-8152
https://notcve.org/view.php?id=CVE-2014-8152
21 Jan 2015 — Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. Apache Santuario XML Security for Java 2.0.x anterior a 2.0.3 permite a atacantes remotos evadir el mecanismo de protección de firmas de transmisión XML a través de un documento XML manipulado. • http://santuario.apache.org/secadv.data/CVE-2014-8152.txt.asc • CWE-254: 7PK - Security Features •