GHSA-xfrj-6vvc-3xm2

Suggest an improvement
Source
https://github.com/advisories/GHSA-xfrj-6vvc-3xm2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-xfrj-6vvc-3xm2/GHSA-xfrj-6vvc-3xm2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xfrj-6vvc-3xm2
Aliases
Related
Published
2023-10-20T12:31:04Z
Modified
2024-09-11T06:12:22.759273Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apache Santuario - XML Security for Java are vulnerable to private key disclosure
Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

References

Affected packages

Maven / org.apache.santuario:xmlsec

Package

Name
org.apache.santuario:xmlsec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.3.0
Fixed
2.3.4

Affected versions

2.*

2.3.0
2.3.1
2.3.2
2.3.3

Maven / org.apache.santuario:xmlsec

Package

Name
org.apache.santuario:xmlsec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.6

Affected versions

1.*

1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8

2.*

2.0.0-beta
2.0.0-rc1
2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.1.7
2.1.8
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5

Maven / org.apache.santuario:xmlsec

Package

Name
org.apache.santuario:xmlsec
View open source insights on deps.dev
Purl
pkg:maven/org.apache.santuario/xmlsec

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.3

Affected versions

3.*

3.0.0
3.0.1
3.0.2