nvd-json-data-feeds/CVE-2023/CVE-2023-444xx/CVE-2023-44483.json

{
  "id": "CVE-2023-44483",
  "sourceIdentifier": "security@apache.org",
  "published": "2023-10-20T10:15:12.933",
  "lastModified": "2023-10-27T18:49:49.600",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled.\u00a0Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.\n"
    },
    {
      "lang": "es",
      "value": "Todas las versiones de Apache Santuario - XML Security para Java anteriores a 2.2.6, 2.3.4 y 3.0.3, cuando utilizan la API JSR 105, son vulnerables a un problema en el que se puede revelar una clave privada en los archivos de registro al generar un La firma XML y el registro con nivel de depuraci\u00f3n est\u00e1n habilitados. Se recomienda a los usuarios actualizar a la versi\u00f3n 2.2.6, 2.3.4 o 3.0.3, que soluciona este problema."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security@apache.org",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "2.2.6",
              "matchCriteriaId": "072EA1B9-C0F1-41FC-97B6-6EDA8B7A4A73"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "2.3.0",
              "versionEndExcluding": "2.3.4",
              "matchCriteriaId": "BD7B2204-670A-4C24-9A8C-C0445F97ADA1"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "3.0.0",
              "versionEndExcluding": "3.0.3",
              "matchCriteriaId": "C09892DB-35BF-41E0-811C-810B8753325C"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "http://www.openwall.com/lists/oss-security/2023/10/20/5",
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55",
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ]
    }
  ]
}