{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-20859", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "dateUpdated": "2024-08-02T09:21:32.442Z", "dateReserved": "2022-11-01T00:00:00", "datePublished": "2023-03-23T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2023-03-23T00:00:00"}, "descriptions": [{"lang": "en", "value": "In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token."}], "affected": [{"vendor": "n/a", "product": "Spring Vault, Spring Cloud Vault, Spring Cloud Config", "versions": [{"version": "Spring Vault (3.0.0 to 3.0.1, 2.3.0 to 2.3.2), Spring Cloud Vault (4.0.0, 3.1.0 to 3.1.2 and older versions), Spring Cloud Config (4.0.0 to 4.0.1, 3.1.0 to 3.1.6 and older versions)", "status": "affected"}]}], "references": [{"url": "https://spring.io/security/cve-2023-20859"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Information disclosure vulnerability"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T09:21:32.442Z"}, "title": "CVE Program Container", "references": [{"url": "https://spring.io/security/cve-2023-20859", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*", "matchCriteriaId": "27E7C265-DE73-4FE5-BAE9-D6FD0B838B90", "versionEndIncluding": "3.1.6", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*", "matchCriteriaId": "6A42F633-1074-46A8-AB65-DF694B34F650", "versionEndIncluding": "4.0.1", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_cloud_vault:*:*:*:*:*:*:*:*", "matchCriteriaId": "B545C7F6-40FB-4010-9146-1ED3FB861E79", "versionEndIncluding": "3.1.2", "versionStartIncluding": "3.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_cloud_vault:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "DDBE7574-C6A7-4EE3-B7BE-5D867E1034BF", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_vault:*:*:*:*:*:*:*:*", "matchCriteriaId": "B2216E96-8849-4F10-BB79-24BB6B5A1F15", "versionEndExcluding": "2.3.3", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_vault:*:*:*:*:*:*:*:*", "matchCriteriaId": "87C49F06-1DF2-4BA5-89E4-1FD4ED9086FF", "versionEndExcluding": "3.0.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token."}], "id": "CVE-2023-20859", "lastModified": "2023-03-28T13:46:26.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-23T21:15:19.680", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2023-20859"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}