esapi-2.2.0.0.jar: 5 vulnerabilities (highest severity is: 7.5) #15
Description
Vulnerable Library - esapi-2.2.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: http://www.owasp.org/index.php
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Found in HEAD commit: 12a45ad6258e0fbc17ef254a002ed04eff3600aa
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (esapi version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| WS-2023-0388 |  High |
7.5 | esapi-2.2.0.0.jar | Direct | 2.5.2.0 | ✅ |
| CVE-2022-23457 | High |
7.5 | esapi-2.2.0.0.jar | Direct | 2.3.0.0 | ✅ |
| CVE-2025-5878 | High |
7.3 | esapi-2.2.0.0.jar | Direct | N/A | ❌ |
| WS-2023-0429 |  Medium |
6.1 | esapi-2.2.0.0.jar | Direct | 2.6.0.0 | ✅ |
| CVE-2022-24891 | Medium |
5.4 | esapi-2.2.0.0.jar | Direct | 2.3.0.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0388
Vulnerable Library - esapi-2.2.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: http://www.owasp.org/index.php
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
- ❌ esapi-2.2.0.0.jar (Vulnerable Library)
Found in HEAD commit: 12a45ad6258e0fbc17ef254a002ed04eff3600aa
Found in base branch: master
Vulnerability Details
ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.
Publish Date: 2024-12-06
URL: WS-2023-0388
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/WS-2023-0388
Release Date: 2024-12-06
Fix Resolution: 2.5.2.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-23457
Vulnerable Library - esapi-2.2.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: http://www.owasp.org/index.php
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
- ❌ esapi-2.2.0.0.jar (Vulnerable Library)
Found in HEAD commit: 12a45ad6258e0fbc17ef254a002ed04eff3600aa
Found in base branch: master
Vulnerability Details
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of "Validator.getValidDirectoryPath(String, String, File, boolean)" may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Publish Date: 2022-04-25
URL: CVE-2022-23457
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8m5h-hrqm-pxm2
Release Date: 2022-04-25
Fix Resolution: 2.3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-5878
Vulnerable Library - esapi-2.2.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: http://www.owasp.org/index.php
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
- ❌ esapi-2.2.0.0.jar (Vulnerable Library)
Found in HEAD commit: 12a45ad6258e0fbc17ef254a002ed04eff3600aa
Found in base branch: master
Vulnerability Details
A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.
Publish Date: 2025-06-29
URL: CVE-2025-5878
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
WS-2023-0429
Vulnerable Library - esapi-2.2.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: http://www.owasp.org/index.php
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
- ❌ esapi-2.2.0.0.jar (Vulnerable Library)
Found in HEAD commit: 12a45ad6258e0fbc17ef254a002ed04eff3600aa
Found in base branch: master
Vulnerability Details
The Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe (i.e., returns true), but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecated and will be removed in one years time from when this advisory is published.
Note that all versions of ESAPI, that have this method (which dates back to at least the ESAPI 1.3 release more than 15 years ago) have this issue and it will continue to exist until these two methods are removed in a future ESAPI release.
Publish Date: 2024-12-07
URL: WS-2023-0429
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.mend.io/vulnerability-database/WS-2023-0429
Release Date: 2024-12-07
Fix Resolution: 2.6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2022-24891
Vulnerable Library - esapi-2.2.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: http://www.owasp.org/index.php
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
- ❌ esapi-2.2.0.0.jar (Vulnerable Library)
Found in HEAD commit: 12a45ad6258e0fbc17ef254a002ed04eff3600aa
Found in base branch: master
Vulnerability Details
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the antisamy-esapi.xml configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Publish Date: 2022-04-27
URL: CVE-2022-24891
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-q77q-vx4q-xx6q
Release Date: 2022-04-27
Fix Resolution: 2.3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.