CVE-2023-44483
Apache Santuario: Private Key disclosure in debug-log output
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
Todas las versiones de Apache Santuario - XML Security para Java anteriores a 2.2.6, 2.3.4 y 3.0.3, cuando utilizan la API JSR 105, son vulnerables a un problema en el que se puede revelar una clave privada en los archivos de registro al generar un La firma XML y el registro con nivel de depuración están habilitados. Se recomienda a los usuarios actualizar a la versión 2.2.6, 2.3.4 o 3.0.3, que soluciona este problema.
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2023-09-29 CVE Reserved
- 2023-10-20 CVE Published
- 2023-11-22 EPSS Updated
- 2024-09-12 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2023/10/20/5 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 | 2023-10-27 | |
| https://access.redhat.com/security/cve/CVE-2023-44483 | 2024-06-06 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2246070 | 2024-06-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Santuario Xml Security For Java Search vendor "Apache" for product "Santuario Xml Security For Java" | < 2.2.6 Search vendor "Apache" for product "Santuario Xml Security For Java" and version " < 2.2.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Santuario Xml Security For Java Search vendor "Apache" for product "Santuario Xml Security For Java" | >= 2.3.0 < 2.3.4 Search vendor "Apache" for product "Santuario Xml Security For Java" and version " >= 2.3.0 < 2.3.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Santuario Xml Security For Java Search vendor "Apache" for product "Santuario Xml Security For Java" | >= 3.0.0 < 3.0.3 Search vendor "Apache" for product "Santuario Xml Security For Java" and version " >= 3.0.0 < 3.0.3" | - |
Affected
| ||||||