org.owasp.esapi:esapi@2.0_rc11 vulnerabilities

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the Validator.isValidSafeHTML method. This might result in false negatives where it reports some input as safe, even if they are not, thus continuing using them without further validation, resulting in a persisting vulnerability.

Notes:

1. This is only exploitable if the Validator.isValidSafeHTML method is used.

2. Validator.getValidSafeHTML is believed to be safe to use with the default antisamy-esapi.xml AntiSamy policy file.

3. The vulnerable method was deprecated in 2.5.3.0

There is no fixed version for org.owasp.esapi:esapi.

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the HTTPUtilities.getFileUploads and ESAPIWebApplicationFirewallFilter methods, by uploading large numbers of files in a single upload or in a series of uploads.

Note:

If you are using any of the HTTPUtilities.getFileUploads methods, you are potentially affected.

Upgrading to version 2.5.2.0 addresses the issue described in CVE-2023-24998 but to be fully protected the maintainer recommends taking additional prevention steps as described below.

There is no fixed version for org.owasp.esapi:esapi.

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Validator.getValidSafeHTML() and Validator.isValidSafeHTML() methods. An incorrect regular expression for onsiteURL in the antisamy-esapi.xml configuration file can cause URLs with the javascript: scheme to not be sanitized.

Upgrade org.owasp.esapi:esapi to version 2.3.0.0 or higher.

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to Directory Traversal via the default implementation of the Validator.getValidDirectoryPath(String, String, File, boolean), which may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.

Note: As a workaround, it is possible to write one's own implementation of the Validator interface by sub-classing a version of the affected DefaultValidator class and then overriding the affected getValidDirectoryPath() to correct the issue. However, the maintainers do not recommend this.

Upgrade org.owasp.esapi:esapi to version 2.3.0.0 or higher.

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to Oracle Padding Attack due to improper configurations of the encryption API.

Upgrade org.owasp.esapi:esapi to version 2.0GA or higher.

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via alteration of local ESAPI configuration and loading XML version of the ESAPI properties file.

Upgrade org.owasp.esapi:esapi to version 2.2.3.0 or higher.

org.owasp.esapi:esapi is an OWASP project to create simple strong security controls for every web platform.

Affected versions of this package are vulnerable to MAC validation Bypass. The library does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Upgrade org.owasp.esapi:esapi to version 2.1.0.1 or higher.