In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.
{
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "Spring Vault (3.0.0 to 3.0.1, 2.3.0 to 2.3.2), Spring Cloud Vault (4.0.0, 3.1.0 to 3.1.2 and older versions), Spring Cloud Config (4.0.0 to 4.0.1, 3.1.0 to 3.1.6 and older versions)"
},
{
"last_affected": "Spring Vault (3.0.0 to 3.0.1, 2.3.0 to 2.3.2), Spring Cloud Vault (4.0.0, 3.1.0 to 3.1.2 and older versions), Spring Cloud Config (4.0.0 to 4.0.1, 3.1.0 to 3.1.6 and older versions)"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/20xxx/CVE-2023-20859.json",
"cna_assigner": "vmware"
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:vmware:spring_cloud_config:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "3.1.0"
},
{
"last_affected": "3.1.6"
},
{
"introduced": "4.0.0"
},
{
"last_affected": "4.0.1"
}
]
}{
"source": [
"CPE_RANGE",
"CPE_STRING"
],
"cpe": [
"cpe:2.3:a:vmware:spring_cloud_vault:*:*:*:*:*:*:*:*",
"cpe:2.3:a:vmware:spring_cloud_vault:4.0.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "3.1.0"
},
{
"last_affected": "3.1.2"
},
{
"introduced": "4.0.0"
},
{
"last_affected": "4.0.0"
}
]
}