GHSA-2g56-7jv7-wxxq

Suggest an improvement
Source
https://github.com/advisories/GHSA-2g56-7jv7-wxxq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2g56-7jv7-wxxq/GHSA-2g56-7jv7-wxxq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2g56-7jv7-wxxq
Aliases
  • CVE-2013-5960
Published
2022-05-14T01:37:06Z
Modified
2024-11-30T05:49:33.636712Z
Summary
Missing Cryptographic Step in OWASP Enterprise Security API for Java
Details

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Database specific
{
    "nvd_published_at": "2013-09-30T17:09:00Z",
    "cwe_ids": [
        "CWE-325"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-08T19:39:44Z"
}
References

Affected packages

Maven / org.owasp.esapi:esapi

Package

Name
org.owasp.esapi:esapi
View open source insights on deps.dev
Purl
pkg:maven/org.owasp.esapi/esapi

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0.0
Fixed
2.1.0.1

Affected versions

2.*

2.0GA
2.0_rc9
2.0_rc10
2.0_rc11
2.0.1
2.1.0

Database specific

{
    "last_known_affected_version_range": "<= 2.1.0.0"
}