{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"xml-security security update", "category":"general", "title":"Synopsis" }, { "text":"An update for xml-security is now available for openEuler-24.03-LTS-SP1", "category":"general", "title":"Summary" }, { "text":"The XML Security project is aimed at providing implementation of security standards for XML. Currently the focus is on the W3C standards : - XML-Signature Syntax and Processing; and - XML Encryption Syntax and Processing.\n\nSecurity Fix(es):\n\nAll versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.(CVE-2023-44483)", "category":"general", "title":"Description" }, { "text":"An update for xml-security is now available for openEuler-24.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"xml-security", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-2382", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2382" }, { "summary":"CVE-2023-44483", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-44483&packageName=xml-security" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-44483" }, { "summary":"openEuler-SA-2025-2382 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-2382.json" } ], "title":"An update for xml-security is now available for openEuler-24.03-LTS-SP1", "tracking":{ "initial_release_date":"2025-10-11T21:22:56+08:00", "revision_history":[ { "date":"2025-10-11T21:22:56+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-10-11T21:22:56+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-10-11T21:22:56+08:00", "id":"openEuler-SA-2025-2382", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"openEuler-24.03-LTS-SP1", "name":"openEuler-24.03-LTS-SP1" }, "name":"openEuler-24.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"xml-security-2.3.5-1.oe2403sp1.noarch.rpm", "name":"xml-security-2.3.5-1.oe2403sp1.noarch.rpm" }, "name":"xml-security-2.3.5-1.oe2403sp1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"xml-security-demo-2.3.5-1.oe2403sp1.noarch.rpm", "name":"xml-security-demo-2.3.5-1.oe2403sp1.noarch.rpm" }, "name":"xml-security-demo-2.3.5-1.oe2403sp1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"xml-security-javadoc-2.3.5-1.oe2403sp1.noarch.rpm", "name":"xml-security-javadoc-2.3.5-1.oe2403sp1.noarch.rpm" }, "name":"xml-security-javadoc-2.3.5-1.oe2403sp1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1" }, "product_id":"xml-security-2.3.5-1.oe2403sp1.src.rpm", "name":"xml-security-2.3.5-1.oe2403sp1.src.rpm" }, "name":"xml-security-2.3.5-1.oe2403sp1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"xml-security-2.3.5-1.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.noarch", "name":"xml-security-2.3.5-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"xml-security-demo-2.3.5-1.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:xml-security-demo-2.3.5-1.oe2403sp1.noarch", "name":"xml-security-demo-2.3.5-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"xml-security-javadoc-2.3.5-1.oe2403sp1.noarch.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:xml-security-javadoc-2.3.5-1.oe2403sp1.noarch", "name":"xml-security-javadoc-2.3.5-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-24.03-LTS-SP1", "product_reference":"xml-security-2.3.5-1.oe2403sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.src", "name":"xml-security-2.3.5-1.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2023-44483", "notes":[ { "text":"All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-demo-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-javadoc-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-demo-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-javadoc-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.src" ], "details":"xml-security security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-2382" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version":"3.1" }, "products":[ "openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-demo-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-javadoc-2.3.5-1.oe2403sp1.noarch", "openEuler-24.03-LTS-SP1:xml-security-2.3.5-1.oe2403sp1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-44483" } ] }