Description

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Remediation

References

http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf

http://www.securityfocus.com/bid/62415

https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt

https://github.com/esapi/esapi-java-legacy/issues/306

https://github.com/ESAPI/esapi-java-legacy/issues/359

Related Vulnerabilities

CVE-2021-23444 Vulnerability in npm package jointjs

CVE-2022-22963 Vulnerability in maven package org.springframework.cloud:spring-cloud-function-core

CVE-2022-0272 Vulnerability in maven package io.gitlab.arturbosch.detekt:detekt-core

CVE-2022-25898 Vulnerability in maven package org.webjars.bower:jsrsasign

CVE-2017-20162 Vulnerability in npm package ms

Severity

Critical

Classification

CWE-310

Tags

Exploit Patch Vendor Advisory Third Party Advisory VDB Entry Release Notes Issue Tracking