CVE-2022-24891

Cross-site Scripting in org.owasp.esapi:esapi -- antisamy-esapi.xml configuration file

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.

ESAPI (The OWASP Enterprise Security API) es una biblioteca de control de seguridad de aplicaciones web gratuita y de código abierto. En versiones anteriores a 2.3.0.0, se presentaba la posibilidad de una vulnerabilidad de tipo cross-site scripting en ESAPI causada por una expresión regular incorrecta para "onsiteURL" en el archivo de configuración **antisamy-esapi.xml** que puede causar que las URLs "javascript:" no sean saneadas correctamente. Este problema ha sido corregido en ESAPI versión 2.3.0.0. Como medida de mitigación, edite manualmente los archivos de configuración **antisamy-esapi.xml** para cambiar la expresión regular "onsiteURL". En las notas de la versión y en el boletín de seguridad de los mantenedores se presenta más información sobre la corrección de la vulnerabilidad, incluida la mitigación

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-04-27 CVE Published
2023-11-18 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (5)

URL	Tag	Source
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt	Release Notes
https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230127-0014	Third Party Advisory

URL	Date	SRC
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf	2024-08-03

URL	Date	SRC
https://www.oracle.com/security-alerts/cpujul2022.html	2023-06-23

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Owasp Search vendor "Owasp"		Enterprise Security Api Search vendor "Owasp" for product "Enterprise Security Api"				< 2.3.0.0 Search vendor "Owasp" for product "Enterprise Security Api" and version " < 2.3.0.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.3.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				12.2.1.4.0 Search vendor "Oracle" for product "Weblogic Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Weblogic Server Search vendor "Oracle" for product "Weblogic Server"				14.1.1.0.0 Search vendor "Oracle" for product "Weblogic Server" and version "14.1.1.0.0"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		linux		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected
Netapp Search vendor "Netapp"		Oncommand Workflow Automation Search vendor "Netapp" for product "Oncommand Workflow Automation"				-		-		Affected