CVE-2013-5679
cryptographic protection bypass vulnerability in esapi (Maven)
What is CVE-2013-5679 About?
This vulnerability affects the authenticated-encryption feature in OWASP ESAPI for Java 2.x before 2.1.0. It allows remote attackers to bypass cryptographic protection mechanisms due to improper resistance to tampering with serialized ciphertext. The flaw stems from a null MAC and zero MAC length in the default configuration, making it a critical security bypass.
Affected Software
Technical Details
The OWASP Enterprise Security API (ESAPI) for Java 2.x, specifically versions prior to 2.1.0, contains a critical flaw in its authenticated-encryption implementation. The issue lies in the default configuration where the Message Authentication Code (MAC) is null, and its length is specified as zero. This means that when data is encrypted using ESAPI's symmetric-encryption feature, no cryptographic integrity check is actually performed. An attacker can tamper with the serialized ciphertext without detection because there is no MAC to verify its authenticity. This design weakness makes it trivial for remote attackers to bypass the intended cryptographic protection mechanisms, allowing them to potentially modify encrypted data without being detected, thereby undermining the authenticity and integrity guarantees of the encryption scheme.
What is the Impact of CVE-2013-5679?
Successful exploitation may allow attackers to bypass cryptographic integrity checks, tamper with encrypted data, or potentially decrypt sensitive information due to the lack of authenticity guarantees.
What is the Exploitability of CVE-2013-5679?
Exploitation of this vulnerability is of medium complexity, as it requires specialized knowledge of cryptographic attacks against authenticity but is simplified by the default insecure configuration. An attacker needs to be able to intercept or modify serialized ciphertext that was encrypted by a vulnerable ESAPI instance. No direct authentication is required to perform the tampering itself, but the attacker would need access to the ciphertext, which might be transmitted over a network or stored. This attack is typically remote, as it involves intercepting and modifying data in transit or at rest. No special privileges are inherently required on the target system other than the ability to interact with the ciphertext. The critical vulnerability lies in the implementation's failure to resist tampering, making any data protected by this feature highly susceptible to integrity violations. The default insecure configuration significantly increases the likelihood of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2013-5679?
Available Upgrade Options
- org.owasp.esapi:esapi
- >2.0.0, <2.1.0 → Upgrade to 2.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/62415
- http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html
- http://code.google.com/p/owasp-esapi-java/issues/detail?id=306
- http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf
- http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html
- https://github.com/ESAPI/esapi-java-legacy/commit/41138fef5f63d9cf0d5e05d2bee2c7f682ffef3f
- https://github.com/ESAPI/esapi-java-legacy
- https://nvd.nist.gov/vuln/detail/CVE-2013-5679
- http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf
- https://osv.dev/vulnerability/GHSA-jcp9-796g-pv9p
What are Similar Vulnerabilities to CVE-2013-5679?
Similar Vulnerabilities: CVE-2016-1000339 , CVE-2015-8126 , CVE-2015-8127 , CVE-2016-4971 , CVE-2017-15206
