Description

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Remediation

References

http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf

http://www.securityfocus.com/bid/62415

https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt

https://github.com/esapi/esapi-java-legacy/issues/306

https://github.com/ESAPI/esapi-java-legacy/issues/359

Related Vulnerabilities

CVE-2021-21172 Vulnerability in maven package org.webjars.npm:electron

CVE-2023-2422 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2022-41710 Vulnerability in npm package electron-markdownify

CVE-2017-3203 Vulnerability in maven package org.springframework.flex:spring-flex-core

CVE-2022-42890 Vulnerability in maven package org.apache.xmlgraphics:batik-script

Severity

Critical

Classification

CWE-310

Tags

Exploit Patch Vendor Advisory Third Party Advisory VDB Entry Release Notes Issue Tracking