Description

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/10/20/5

https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55

Related Vulnerabilities

CVE-2022-36100 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-ui

CVE-2021-21626 Vulnerability in maven package io.jenkins.plugins:warnings-ng

CVE-2023-42794 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-hive

CVE-2020-28496 Vulnerability in npm package three

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-noinfo