CVE-2013-5679
Summary
| CVE | CVE-2013-5679 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2013-09-30 17:09:00 UTC |
| Updated | 2016-05-06 00:14:00 UTC |
| Description | The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length. |
Risk And Classification
Problem Types: CWE-310
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Owasp | Enterprise Security Api | 2.0 | All | All | All |
| Application | Owasp | Enterprise Security Api | 2.0.1 | All | All | All |
| Application | Owasp | Enterprise Security Api | 2.0 | All | All | All |
| Application | Owasp | Enterprise Security Api | 2.0.1 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [Esapi-dev] ESAPI Java and Authenticated encryption implementation | MLIST | lists.owasp.org | |
| Issue 306 - owasp-esapi-java - Crypto MAC by-pass makes default ESAPI symmetric encrytion using CBC mode vulnerable to padding oracle attacks - OWASP Enterprise Security API (Java Edition) - Google Project Hosting | CONFIRM | code.google.com | Exploit |
| Error 404 (Not Found)!!1 | CONFIRM | owasp-esapi-java.googlecode.com | Patch, Vendor Advisory |
| OWASP ESAPI CBC Mode HMAC Authentication Bypass Vulnerability | BID | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.