[SECURITY] [DLA 4246-1] libowasp-esapi-java security update

To: debian-lts-announce <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4246-1] libowasp-esapi-java security update
From: Markus Koschany <apo@debian.org>
Date: Tue, 22 Jul 2025 03:10:08 +0200
Message-id: <[🔎] c41a595b45c3f927ef259adb91e7c26d73e83327.camel@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-------------------------------------------------------------------------
Debian LTS Advisory DLA-4246-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Markus Koschany
July 22, 2025                                 https://wiki.debian.org/LTS
-------------------------------------------------------------------------

Package        : libowasp-esapi-java
Version        : 2.4.0.0-0+deb11u1
CVE ID         : CVE-2022-23457 CVE-2022-24891 CVE-2025-5878
Debian Bug     : 1010339 1109378

Several security vulnerabilities have been discovered in libowasp-esapi-java,
a Java Enterprise Security API.

CVE-2022-23457:

    ESAPI (The OWASP Enterprise Security API) is a free, open source, web
    application security control library. Prior to this update the default
    implementation of `Validator.getValidDirectoryPath(String, String, File,
    boolean)` may incorrectly treat the tested input string as a child of the
    specified parent directory. This potentially could allow control-flow
    bypass checks to be defeated if an attack can specify the entire string
    representing the 'input' path.

CVE-2022-24891:

    There is a potential for a cross-site scripting vulnerability in ESAPI
    caused by a incorrect regular expression for "onsiteURL" in the
    **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs
    to fail to be correctly sanitized.

CVE-2025-5878:

    This issue affects the interface Encoder.encodeForSQL of the
    SQL Injection Defense. An attack leads to an improper neutralization of
    special elements. We are not aware of any affected reverse-dependencies in
    Debian but if you use ESAPI in a stand-alone project, you should be aware
    that the Encoder.encodeForSQL method has been deprecated and will be
    removed eventually. In addition the DB2Codec, MySQLCodec and OracleCodec
    classes have been deprecated too. We recommend to carefully assess if
    your project might be affected by these classes and methods and if you have
    to implement additional steps to secure your application. The update does
    not automatically protect you from any potential risks.

For Debian 11 bullseye, these problems have been fixed in version
2.4.0.0-0+deb11u1.

We recommend that you upgrade your libowasp-esapi-java packages.

For the detailed security status of libowasp-esapi-java please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/libowasp-esapi-java

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Prev by Date: [SECURITY] [DLA 4244-1] tomcat9 security update
Next by Date: [SECURITY] [DLA 4248-1] openjdk-11 security update
Previous by thread: [SECURITY] [DLA 4244-1] tomcat9 security update
Next by thread: [SECURITY] [DLA 4248-1] openjdk-11 security update
Index(es):
- Date
- Thread