Debian 11: DLA-4246-1 libowasp-esapi-java Critical XSS Security Update
debian lts
July 22, 2025
Several security vulnerabilities have been discovered in libowasp-esapi-java, a Java Enterprise Security API
Summary
CVE-2022-23457:
ESAPI (The OWASP Enterprise Security API) is a free, open source, web
application security control library. Prior to this update the default
implementation of `Validator.getValidDirectoryPath(String, String, File,
boolean)` may incorrectly treat the tested input string as a child of the
specified parent directory. This potentially could allow control-flow
bypass checks to be defeated if an attack can specify the entire string
representing the 'input' path.
CVE-2022-24891:
There is a potential for a cross-site scripting vulnerability in ESAPI
caused by a incorrect regular expression for "onsiteURL" in the
**antisamy-esapi.xml** configuration file that can cause "javascript:" URLs
to fail to be correctly sanitized.
CVE-2025-5878:
This issue affects the interface Encoder.encodeForSQL of the
SQL Injection Defense. An attack leads to an improper neutralization of
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libowasp-esapi-java
Version: 2.4.0.0-0+deb11u1
CVE ID: CVE-2022-23457 CVE-2022-24891 CVE-2025-5878
Debian Bug: 1010339 1109378
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!