Description

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Remediation

References

http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf

http://www.securityfocus.com/bid/62415

https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt

https://github.com/esapi/esapi-java-legacy/issues/306

https://github.com/ESAPI/esapi-java-legacy/issues/359

Related Vulnerabilities

CVE-2023-33201 Vulnerability in maven package org.bouncycastle:bcprov-ext-jdk15to18

CVE-2023-49374 Vulnerability in maven package com.jfinal:jfinal

CVE-2023-30518 Vulnerability in maven package io.jenkins.plugins:thycotic-secret-server

CVE-2023-43123 Vulnerability in maven package org.apache.storm:storm-client

CVE-2022-24822 Vulnerability in npm package @podium/proxy

Severity

Critical

Classification

CWE-310

Tags

Exploit Patch Vendor Advisory Third Party Advisory VDB Entry Release Notes Issue Tracking