CVE-2023-44483
Apache Santuario - XML Security for Java are vulnerable to private key disclosure
6.5
MEDIUM
CVSS 3.1
EPSS 0.17%
Description
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
How to fix CVE-2023-44483
To remediate CVE-2023-44483, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 2.3.4 or later
Is CVE-2023-44483 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- >= 2.3.0, < 2.3.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |