Package: libowasp-esapi-java
X-Debbugs-CC:
[email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for libowasp-esapi-java.
CVE-2025-5878[0]:
| A vulnerability was found in ESAPI esapi-java-legacy and classified
| as problematic. This issue affects the interface
| Encoder.encodeForSQL of the SQL Injection Defense. An attack leads
| to an improper neutralization of special elements. The attack may be
| initiated remotely and an exploit has been disclosed to the public.
| The project was contacted early about this issue and handled it with
| an exceptional level of professionalism. Upgrading to version
| 2.7.0.0 is able to address this issue. Commit ID
| f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by
| default and any attempt to use it will trigger a warning. And commit
| ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the
| misleading Java class documentation to warn about the risks.
https://github.com/ESAPI/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512 (esapi-2.7.0.0)
https://github.com/ESAPI/esapi-java-legacy/commit/e2322914304d9b1c52523ff24be495b7832f6a56 (esapi-2.7.0.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-5878
https://www.cve.org/CVERecord?id=CVE-2025-5878
Please adjust the affected versions in the BTS as needed.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)