Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec

Description

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/10/20/5

https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55

Related Vulnerabilities

CVE-2019-1010266 Vulnerability in npm package lodash

CVE-2022-45685 Vulnerability in maven package org.codehaus.jettison:jettison

CVE-2022-3224 Vulnerability in maven package org.webjars.npm:parse-url

CVE-2022-22984 Vulnerability in npm package @snyk/snyk-hex-plugin

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-beam-sql

Severity

High

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory NVD-CWE-noinfo