CVE-2023-20859

low-risk
Published 2023-03-23

In Spring Vault, versions 3.0.x prior to 3.0.2 and versions 2.3.x prior to 2.3.3 and older versions, an application is vulnerable to insertion of sensitive information into a log file when it attempts to revoke a Vault batch token.

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (4)

Spring Cloud Vault
Spring Cloud Vault
Spring Vault

Affected Vendors

Vmware

References (2)

Vendor Advisory https://spring.io/security/cve-2023-20859
Vendor Advisory https://spring.io/security/cve-2023-20859
28
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 10/34 · Low