Bug#1109378: libowasp-esapi-java: CVE-2025-5878
Moritz Mühlenhoff
jmm at inutil.org
Wed Jul 16 10:10:39 BST 2025
Package: libowasp-esapi-java
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for libowasp-esapi-java.
CVE-2025-5878[0]:
| A vulnerability was found in ESAPI esapi-java-legacy and classified
| as problematic. This issue affects the interface
| Encoder.encodeForSQL of the SQL Injection Defense. An attack leads
| to an improper neutralization of special elements. The attack may be
| initiated remotely and an exploit has been disclosed to the public.
| The project was contacted early about this issue and handled it with
| an exceptional level of professionalism. Upgrading to version
| 2.7.0.0 is able to address this issue. Commit ID
| f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by
| default and any attempt to use it will trigger a warning. And commit
| ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the
| misleading Java class documentation to warn about the risks.
https://github.com/ESAPI/esapi-java-legacy/commit/f75ac2c2647a81d2cfbdc9c899f8719c240ed512 (esapi-2.7.0.0)
https://github.com/ESAPI/esapi-java-legacy/commit/e2322914304d9b1c52523ff24be495b7832f6a56 (esapi-2.7.0.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5878
https://www.cve.org/CVERecord?id=CVE-2025-5878
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list