Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
8 vulnerabilities found for enterprise_security_api by owasp
CVE-2022-24891 (GCVE-0-2022-24891)
Vulnerability from cvelistv5 – Published: 2022-04-27 00:00 – Updated: 2025-11-03 19:26
VLAI
Title
Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file
Summary
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ESAPI | esapi-java-legacy |
Affected:
<= 2.2.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:55.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24891",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:48:36.272819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:03:29.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esapi-java-legacy",
"vendor": "ESAPI",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the **antisamy-esapi.xml** configuration file that can cause \"javascript:\" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the \"onsiteURL\" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers\u0027 release notes and security bulletin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
}
],
"source": {
"advisory": "GHSA-q77q-vx4q-xx6q",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24891",
"datePublished": "2022-04-27T00:00:00.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:55.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23457 (GCVE-0-2022-23457)
Vulnerability from cvelistv5 – Published: 2022-04-25 00:00 – Updated: 2025-11-03 19:26
VLAI
Title
Path Traversal in ESAPI
Summary
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OWASP ESAPI | org.owasp.esapi:esapi |
Affected:
2.3.0.0 , < 2.3.0.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:49.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:25.418830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:14:19.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "org.owasp.esapi:esapi",
"vendor": "OWASP ESAPI",
"versions": [
{
"lessThan": "2.3.0.0",
"status": "affected",
"version": "2.3.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the \u0027input\u0027 path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one\u0027s own implementation of the Validator interface. However, maintainers do not recommend this."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal in ESAPI",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23457",
"datePublished": "2022-04-25T00:00:00.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:49.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-5960 (GCVE-0-2013-5960)
Vulnerability from cvelistv5 – Published: 2013-09-30 10:00 – Updated: 2024-08-06 17:29
VLAI
Summary
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/62415 | vdb-entryx_refsource_BID |
| http://lists.owasp.org/pipermail/esapi-dev/2013-A… | mailing-listx_refsource_MLIST |
| http://code.google.com/p/owasp-esapi-java/issues/… | x_refsource_CONFIRM |
| https://github.com/ESAPI/esapi-java-legacy/issues/359 | x_refsource_CONFIRM |
| https://github.com/esapi/esapi-java-legacy/issues/306 | x_refsource_CONFIRM |
| https://github.com/ESAPI/esapi-java-legacy/blob/m… | x_refsource_CONFIRM |
| http://owasp-esapi-java.googlecode.com/svn/trunk/… | x_refsource_CONFIRM |
Date Public
2013-08-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/issues/359"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/esapi/esapi-java-legacy/issues/306"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-22T21:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/issues/359"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esapi/esapi-java-legacy/issues/306"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5960",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "62415",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"refsource": "MLIST",
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"name": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306",
"refsource": "CONFIRM",
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"name": "https://github.com/ESAPI/esapi-java-legacy/issues/359",
"refsource": "CONFIRM",
"url": "https://github.com/ESAPI/esapi-java-legacy/issues/359"
},
{
"name": "https://github.com/esapi/esapi-java-legacy/issues/306",
"refsource": "CONFIRM",
"url": "https://github.com/esapi/esapi-java-legacy/issues/306"
},
{
"name": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt",
"refsource": "CONFIRM",
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt"
},
{
"name": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf",
"refsource": "CONFIRM",
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5960",
"datePublished": "2013-09-30T10:00:00.000Z",
"dateReserved": "2013-09-30T00:00:00.000Z",
"dateUpdated": "2024-08-06T17:29:42.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5679 (GCVE-0-2013-5679)
Vulnerability from cvelistv5 – Published: 2013-09-30 10:00 – Updated: 2024-09-16 22:57
VLAI
Summary
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/62415 | vdb-entryx_refsource_BID |
| http://lists.owasp.org/pipermail/esapi-dev/2013-A… | mailing-listx_refsource_MLIST |
| http://code.google.com/p/owasp-esapi-java/issues/… | x_refsource_CONFIRM |
| http://owasp-esapi-java.googlecode.com/svn/trunk/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:22:29.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-09-30T10:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5679",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "62415",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"refsource": "MLIST",
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"name": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306",
"refsource": "CONFIRM",
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"name": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf",
"refsource": "CONFIRM",
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5679",
"datePublished": "2013-09-30T10:00:00.000Z",
"dateReserved": "2013-09-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:57:08.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24891 (GCVE-0-2022-24891)
Vulnerability from nvd – Published: 2022-04-27 00:00 – Updated: 2025-11-03 19:26
VLAI
Title
Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file
Summary
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ESAPI | esapi-java-legacy |
Affected:
<= 2.2.3.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:55.130Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24891",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:48:36.272819Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:03:29.928Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "esapi-java-legacy",
"vendor": "ESAPI",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the **antisamy-esapi.xml** configuration file that can cause \"javascript:\" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the \"onsiteURL\" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers\u0027 release notes and security bulletin."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
}
],
"source": {
"advisory": "GHSA-q77q-vx4q-xx6q",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24891",
"datePublished": "2022-04-27T00:00:00.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:55.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-23457 (GCVE-0-2022-23457)
Vulnerability from nvd – Published: 2022-04-25 00:00 – Updated: 2025-11-03 19:26
VLAI
Title
Path Traversal in ESAPI
Summary
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| OWASP ESAPI | org.owasp.esapi:esapi |
Affected:
2.3.0.0 , < 2.3.0.0
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-11-03T19:26:49.494Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23457",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:43:25.418830Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:14:19.909Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "org.owasp.esapi:esapi",
"vendor": "OWASP ESAPI",
"versions": [
{
"lessThan": "2.3.0.0",
"status": "affected",
"version": "2.3.0.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the \u0027input\u0027 path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one\u0027s own implementation of the Validator interface. However, maintainers do not recommend this."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-27T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2"
},
{
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230127-0014/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Path Traversal in ESAPI",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23457",
"datePublished": "2022-04-25T00:00:00.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-11-03T19:26:49.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2013-5960 (GCVE-0-2013-5960)
Vulnerability from nvd – Published: 2013-09-30 10:00 – Updated: 2024-08-06 17:29
VLAI
Summary
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
7 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/62415 | vdb-entryx_refsource_BID |
| http://lists.owasp.org/pipermail/esapi-dev/2013-A… | mailing-listx_refsource_MLIST |
| http://code.google.com/p/owasp-esapi-java/issues/… | x_refsource_CONFIRM |
| https://github.com/ESAPI/esapi-java-legacy/issues/359 | x_refsource_CONFIRM |
| https://github.com/esapi/esapi-java-legacy/issues/306 | x_refsource_CONFIRM |
| https://github.com/ESAPI/esapi-java-legacy/blob/m… | x_refsource_CONFIRM |
| http://owasp-esapi-java.googlecode.com/svn/trunk/… | x_refsource_CONFIRM |
Date Public
2013-08-21 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:29:42.682Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/issues/359"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/esapi/esapi-java-legacy/issues/306"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-08-21T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-22T21:57:01.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/issues/359"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/esapi/esapi-java-legacy/issues/306"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5960",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "62415",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"refsource": "MLIST",
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"name": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306",
"refsource": "CONFIRM",
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"name": "https://github.com/ESAPI/esapi-java-legacy/issues/359",
"refsource": "CONFIRM",
"url": "https://github.com/ESAPI/esapi-java-legacy/issues/359"
},
{
"name": "https://github.com/esapi/esapi-java-legacy/issues/306",
"refsource": "CONFIRM",
"url": "https://github.com/esapi/esapi-java-legacy/issues/306"
},
{
"name": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt",
"refsource": "CONFIRM",
"url": "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt"
},
{
"name": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf",
"refsource": "CONFIRM",
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5960",
"datePublished": "2013-09-30T10:00:00.000Z",
"dateReserved": "2013-09-30T00:00:00.000Z",
"dateUpdated": "2024-08-06T17:29:42.682Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-5679 (GCVE-0-2013-5679)
Vulnerability from nvd – Published: 2013-09-30 10:00 – Updated: 2024-09-16 22:57
VLAI
Summary
The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| http://www.securityfocus.com/bid/62415 | vdb-entryx_refsource_BID |
| http://lists.owasp.org/pipermail/esapi-dev/2013-A… | mailing-listx_refsource_MLIST |
| http://code.google.com/p/owasp-esapi-java/issues/… | x_refsource_CONFIRM |
| http://owasp-esapi-java.googlecode.com/svn/trunk/… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:22:29.945Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-09-30T10:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "62415",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-5679",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "62415",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/62415"
},
{
"name": "[esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation",
"refsource": "MLIST",
"url": "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html"
},
{
"name": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306",
"refsource": "CONFIRM",
"url": "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306"
},
{
"name": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf",
"refsource": "CONFIRM",
"url": "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-5679",
"datePublished": "2013-09-30T10:00:00.000Z",
"dateReserved": "2013-09-03T00:00:00.000Z",
"dateUpdated": "2024-09-16T22:57:08.950Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}