Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec

Description

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/10/20/5

https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55

https://security.netapp.com/advisory/ntap-20241108-0002/

Related Vulnerabilities

CVE-2019-10307 Vulnerability in maven package org.jvnet.hudson.plugins:analysis-core

CVE-2023-31417 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2022-28355 Vulnerability in maven package org.scala-js:scalajs-library_2.12

CVE-2022-21192 Vulnerability in npm package serve-lite

CVE-2022-43413 Vulnerability in maven package org.jenkins-ci.plugins:job-import-plugin

Severity

High

Classification

CWE-532 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory