Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/com.ritense.valtimo/inbox@13.4.1.RELEASE |
|---|
| Type | maven |
|---|
| Namespace | com.ritense.valtimo |
|---|
| Name | inbox |
|---|
| Version | 13.4.1.RELEASE |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 13.22.0.RELEASE |
|---|
| Latest_non_vulnerable_version | 13.22.0.RELEASE |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-d477-bm1w-m7fg |
| vulnerability_id |
VCID-d477-bm1w-m7fg |
| summary |
Valtimo: Sensitive data exposure through inbox message logging in InboxHandlingService
### Summary
The `InboxHandlingService` logs the full content of every incoming inbox message at INFO level (`logger.info("Received message: {}", message)`). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen identifiers (BSN), and case details.
### Impact
This data is exposed to:
- Anyone with access to application logs (stdout/log files)
- Any Valtimo user with the admin role, through the logging module in the Admin UI
### Affected Code
`com.ritense.inbox.InboxHandlingService#handle` in the `inbox` module.
### Resolution
Fixed in [13.22.0](https://github.com/valtimo-platform/valtimo/releases/tag/13.22.0) via commit [`f16a1940ba`](https://github.com/valtimo-platform/valtimo/commit/f16a1940ba7b34627c0b966f98ca78655ace9335) (PR [#497](https://github.com/valtimo-platform/valtimo/pull/497), tracking issue [gzac-issues#653](https://github.com/generiekzaakafhandelcomponent/gzac-issues/issues/653)). The log statement was downgraded from INFO to DEBUG and the message payload was removed from the log output.
### Mitigation
For versions before 13.22.0, consider:
- Restricting access to application logs
- Adjusting the log level for `com.ritense.inbox` to WARN or higher in your application configuration |
| references |
| 0 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34164 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03252 |
| published_at |
2026-06-05T12:55:00Z |
|
| 1 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03174 |
| published_at |
2026-06-09T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03199 |
| published_at |
2026-06-08T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03218 |
| published_at |
2026-06-07T12:55:00Z |
|
| 4 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03262 |
| published_at |
2026-06-06T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-34164 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-34164, GHSA-hfrg-mcvw-8mch
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d477-bm1w-m7fg |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | 3.1 |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/com.ritense.valtimo/inbox@13.4.1.RELEASE |
|---|