Description

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Remediation

References

http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf

http://www.securityfocus.com/bid/62415

https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt

https://github.com/esapi/esapi-java-legacy/issues/306

https://github.com/ESAPI/esapi-java-legacy/issues/359

Related Vulnerabilities

CVE-2022-28820 Vulnerability in maven package com.adobe.acs:acs-aem-commons-ui.apps

CVE-2020-13128 Vulnerability in maven package com.googlecode.gwtupload:gwtupload-project

CVE-2017-16104 Vulnerability in npm package citypredict.whauwiller

CVE-2023-34981 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2023-29207 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

Severity

Critical

Classification

CWE-310

Tags

Exploit Patch Vendor Advisory Third Party Advisory VDB Entry Release Notes Issue Tracking