CVE-2023-20859

CWE-532 — Log File Information Exposure4 documents4 sources

Severity

5.5MEDIUM

EPSS

0.1%

top 71.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Spring Vault Vmware Spring Cloud Config Vmware Spring Cloud Vault

Timeline

PublishedMar 23

Description

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶NVDvmware/spring_vault2.3.0 — 2.3.3+1

▶Mavenorg.springframework.vault:spring-vault-core3.0.0 — 3.0.2+1

▶NVDvmware/spring_cloud_vault3.1.0 — 3.1.2+1

▶NVDvmware/spring_cloud_config3.1.0 — 3.1.6+1

🔴Vulnerability Details

GHSA

Spring Vault vulnerable to insertion of sensitive information into a log file↗2023-03-23

▶

CVEList

CVE-2023-20859: In Spring Vault, versions 3↗2023-03-23

▶

OSV

Spring Vault vulnerable to insertion of sensitive information into a log file↗2023-03-23

▶