Vulnerable Library - esapi-2.1.0.1.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Vulnerabilities
| CVE |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (esapi version) |
Remediation Possible** |
| CVE-2022-23457 |
 Critical |
9.8 |
esapi-2.1.0.1.jar |
Direct |
2.3.0.0 |
β
|
| CVE-2016-2510 |
 High |
8.1 |
bsh-core-2.0b4.jar |
Transitive |
N/A* |
β |
| WS-2023-0388 |
High |
7.5 |
esapi-2.1.0.1.jar |
Direct |
2.5.2.0 |
β
|
| WS-2014-0034 |
High |
7.5 |
commons-fileupload-1.3.1.jar |
Transitive |
2.4.0.0 |
β
|
| CVE-2023-24998 |
High |
7.5 |
commons-fileupload-1.3.1.jar |
Transitive |
2.5.2.0 |
β
|
| CVE-2022-34169 |
High |
7.5 |
xalan-2.7.0.jar |
Transitive |
N/A* |
β |
| CVE-2022-29546 |
High |
7.5 |
nekohtml-1.9.16.jar |
Transitive |
N/A* |
β |
| CVE-2022-28366 |
High |
7.5 |
nekohtml-1.9.16.jar |
Transitive |
N/A* |
β |
| CVE-2022-24839 |
High |
7.5 |
nekohtml-1.9.16.jar |
Transitive |
N/A* |
β |
| CVE-2016-3092 |
High |
7.5 |
commons-fileupload-1.3.1.jar |
Transitive |
2.2.0.0 |
β
|
| CVE-2012-0881 |
High |
7.5 |
xercesImpl-2.8.0.jar |
Transitive |
2.5.3.0 |
β
|
| CVE-2019-10086 |
High |
7.3 |
commons-beanutils-core-1.8.3.jar |
Transitive |
N/A* |
β |
| CVE-2016-1000031 |
High |
7.3 |
commons-fileupload-1.3.1.jar |
Transitive |
2.2.0.0 |
β
|
| CVE-2014-0114 |
High |
7.3 |
commons-beanutils-core-1.8.3.jar |
Transitive |
N/A* |
β |
| CVE-2014-0107 |
High |
7.3 |
xalan-2.7.0.jar |
Transitive |
2.5.0.0 |
β
|
| CVE-2022-23437 |
 Medium |
6.5 |
xercesImpl-2.8.0.jar |
Transitive |
N/A* |
β |
| WS-2023-0429 |
Medium |
6.1 |
esapi-2.1.0.1.jar |
Direct |
N/A |
β |
| CVE-2024-23635 |
Medium |
6.1 |
antisamy-1.5.3.jar |
Transitive |
N/A* |
β |
| CVE-2023-43643 |
Medium |
6.1 |
antisamy-1.5.3.jar |
Transitive |
2.5.3.0 |
β
|
| CVE-2022-29577 |
Medium |
6.1 |
antisamy-1.5.3.jar |
Transitive |
2.3.0.0 |
β
|
| CVE-2022-28367 |
Medium |
6.1 |
antisamy-1.5.3.jar |
Transitive |
2.3.0.0 |
β
|
| CVE-2022-24891 |
Medium |
6.1 |
esapi-2.1.0.1.jar |
Direct |
2.3.0.0 |
β
|
| CVE-2021-35043 |
Medium |
6.1 |
antisamy-1.5.3.jar |
Transitive |
2.3.0.0 |
β
|
| CVE-2017-14735 |
Medium |
6.1 |
antisamy-1.5.3.jar |
Transitive |
2.2.0.0 |
β
|
| CVE-2016-10006 |
Medium |
6.1 |
antisamy-1.5.3.jar |
Transitive |
2.2.0.0 |
β
|
| CVE-2013-4002 |
Medium |
5.9 |
xercesImpl-2.8.0.jar |
Transitive |
2.5.3.0 |
β
|
| CVE-2020-14338 |
Medium |
5.3 |
xercesImpl-2.8.0.jar |
Transitive |
2.5.3.0 |
β
|
| CVE-2009-2625 |
Medium |
5.3 |
xercesImpl-2.8.0.jar |
Transitive |
2.5.3.0 |
β
|
| CVE-2021-29425 |
Medium |
4.8 |
commons-io-2.2.jar |
Transitive |
2.5.3.0 |
β
|
| CVE-2012-5783 |
Medium |
4.8 |
commons-httpclient-3.1.jar |
Transitive |
2.2.0.0 |
β
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2022-23457
Vulnerable Library - esapi-2.1.0.1.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy:
- β esapi-2.1.0.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Publish Date: 2022-04-25
URL: CVE-2022-23457
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-8m5h-hrqm-pxm2
Release Date: 2022-04-25
Fix Resolution: 2.3.0.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2016-2510
Vulnerable Library - bsh-core-2.0b4.jar
BeanShell core
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β bsh-core-2.0b4.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Publish Date: 2016-04-07
URL: CVE-2016-2510
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2510
Release Date: 2016-04-07
Fix Resolution: 2.0b6
WS-2023-0388
Vulnerable Library - esapi-2.1.0.1.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy:
- β esapi-2.1.0.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.
Publish Date: 2023-10-28
URL: WS-2023-0388
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7c2q-5qmr-v76q
Release Date: 2023-10-28
Fix Resolution: 2.5.2.0
βοΈ Automatic Remediation will be attempted for this issue.
WS-2014-0034
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β commons-fileupload-1.3.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.4
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.4.0.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2023-24998
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β commons-fileupload-1.3.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution (commons-fileupload:commons-fileupload): 1.5
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.2.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2022-34169
Vulnerable Library - xalan-2.7.0.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- β xalan-2.7.0.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Publish Date: 2022-07-19
URL: CVE-2022-34169
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9339-86wc-4qgf
Release Date: 2022-07-19
Fix Resolution: xalan:xalan:2.7.3
CVE-2022-29546
Vulnerable Library - nekohtml-1.9.16.jar
An HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.16/nekohtml-1.9.16.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- antisamy-1.5.3.jar
- β nekohtml-1.9.16.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Publish Date: 2022-04-25
URL: CVE-2022-29546
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2022-04-25
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.61.0
CVE-2022-28366
Vulnerable Library - nekohtml-1.9.16.jar
An HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.16/nekohtml-1.9.16.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- antisamy-1.5.3.jar
- β nekohtml-1.9.16.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Publish Date: 2022-04-21
URL: CVE-2022-28366
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-g9hh-vvx3-v37v
Release Date: 2022-04-21
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.27
CVE-2022-24839
Vulnerable Library - nekohtml-1.9.16.jar
An HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.16/nekohtml-1.9.16.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- antisamy-1.5.3.jar
- β nekohtml-1.9.16.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
org.cyberneko.html is an html parser written in Java. The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup. Users are advised to upgrade to >= 1.9.22.noko2. Note: The upstream library org.cyberneko.html is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
Publish Date: 2022-04-11
URL: CVE-2022-24839
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-9849-p7jc-9rmv
Release Date: 2022-04-11
Fix Resolution: net.sourceforge.nekohtml:nekohtml:1.9.22.noko2
CVE-2016-3092
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β commons-fileupload-1.3.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2012-0881
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- β xercesImpl-2.8.0.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution (xerces:xercesImpl): 2.12.0
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2019-10086
Vulnerable Library - commons-beanutils-core-1.8.3.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β commons-beanutils-core-1.8.3.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
CVE-2016-1000031
Vulnerable Library - commons-fileupload-1.3.1.jar
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
Library home page: http://commons.apache.org/proper/commons-fileupload/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.3.1/commons-fileupload-1.3.1.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β commons-fileupload-1.3.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2014-0114
Vulnerable Library - commons-beanutils-core-1.8.3.jar
The Apache Software Foundation provides support for the Apache community of open-source software projects.
The Apache projects are characterized by a collaborative, consensus based development process, an open and
pragmatic software license, and a desire to create high quality software that leads the way in its field.
We consider ourselves not simply a group of projects sharing a server, but rather a community of developers
and users.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils-core/1.8.3/commons-beanutils-core-1.8.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β commons-beanutils-core-1.8.3.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
CVE-2014-0107
Vulnerable Library - xalan-2.7.0.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- β xalan-2.7.0.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Publish Date: 2014-04-15
URL: CVE-2014-0107
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
Release Date: 2014-04-15
Fix Resolution (xalan:xalan): 2.7.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.0.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2022-23437
Vulnerable Library - xercesImpl-2.8.0.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- xom-1.2.5.jar
- β xercesImpl-2.8.0.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
WS-2023-0429
Vulnerable Library - esapi-2.1.0.1.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy:
- β esapi-2.1.0.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
The Validator.isValidSafeHTML method can result in false negatives where it reports some input as safe (i.e., returns true), but really isn't, and using that same input as-is can in certain circumstances result in XSS vulnerabilities. Because this method cannot be fixed, it is being deprecated and will be removed in one years time from when this advisory is published.
Note that all versions of ESAPI, that have this method (which dates back to at least the ESAPI 1.3 release more than 15 years ago) have this issue and it will continue to exist until these two methods are removed in a future ESAPI release.
Publish Date: 2023-11-24
URL: WS-2023-0429
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
CVE-2024-23635
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML
and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β antisamy-1.5.3.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
Publish Date: 2024-02-02
URL: CVE-2024-23635
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2mrq-w8pv-5pvq
Release Date: 2024-02-02
Fix Resolution: org.owasp.antisamy:antisamy:1.7.5
CVE-2023-43643
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML
and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β antisamy-1.5.3.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
Publish Date: 2023-10-09
URL: CVE-2023-43643
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43643
Release Date: 2023-10-09
Fix Resolution (org.owasp.antisamy:antisamy): 1.7.4
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2022-29577
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML
and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β antisamy-1.5.3.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
Publish Date: 2022-04-21
URL: CVE-2022-29577
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29577
Release Date: 2022-04-21
Fix Resolution (org.owasp.antisamy:antisamy): 1.6.7
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.3.0.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2022-28367
Vulnerable Library - antisamy-1.5.3.jar
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML
and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/antisamy/antisamy/1.5.3/antisamy-1.5.3.jar
Dependency Hierarchy:
- esapi-2.1.0.1.jar (Root Library)
- β antisamy-1.5.3.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
Publish Date: 2022-04-21
URL: CVE-2022-28367
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28367
Release Date: 2022-04-21
Fix Resolution (org.owasp.antisamy:antisamy): 1.6.6
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.3.0.0
βοΈ Automatic Remediation will be attempted for this issue.
CVE-2022-24891
Vulnerable Library - esapi-2.1.0.1.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Library home page: https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Path to dependency file: /pom.xml
Path to vulnerable library: /repository/org/owasp/esapi/esapi/2.1.0.1/esapi-2.1.0.1.jar
Dependency Hierarchy:
- β esapi-2.1.0.1.jar (Vulnerable Library)
Found in HEAD commit: 770fb4f9d70b2c34df0e637e6ee40654762d578e
Found in base branch: branchTEST
Vulnerability Details
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the antisamy-esapi.xml configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Publish Date: 2022-04-27
URL: CVE-2022-24891
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q77q-vx4q-xx6q
Release Date: 2022-04-27
Fix Resolution: 2.3.0.0
βοΈ Automatic Remediation will be attempted for this issue.
βοΈAutomatic Remediation will be attempted for this issue.
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent