Description

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Remediation

References

http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf

http://www.securityfocus.com/bid/62415

https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt

https://github.com/esapi/esapi-java-legacy/issues/306

https://github.com/ESAPI/esapi-java-legacy/issues/359

Related Vulnerabilities

CVE-2020-13822 Vulnerability in maven package org.webjars.npm:elliptic

CVE-2021-25916 Vulnerability in npm package patchmerge

CVE-2023-37899 Vulnerability in npm package @feathersjs/transport-commons

CVE-2022-24823 Vulnerability in maven package io.netty:netty-codec-http

CVE-2022-38900 Vulnerability in maven package org.webjars.bowergithub.samverschueren:decode-uri-component

Severity

Critical

Classification

CWE-310

Tags

Exploit Patch Vendor Advisory Third Party Advisory VDB Entry Release Notes Issue Tracking