CVE-2013-5960
cryptographic bypass vulnerability in esapi (Maven)
What is CVE-2013-5960 About?
This vulnerability in OWASP ESAPI for Java's authenticated-encryption feature allows remote attackers to bypass cryptographic protection. It permits tampering with serialized ciphertext in non-default configurations through attacks against the intended cipher mode. Exploitation is complex due to specific configuration requirements and cryptographic knowledge.
Affected Software
Technical Details
The vulnerability lies within the authenticated-encryption feature of the symmetric-encryption implementation in OWASP ESAPI for Java 2.x before 2.1.0.1. Specifically, it does not properly resist tampering with serialized ciphertext, distinct from CVE-2013-5679. This weakness enables remote attackers to bypass the intended cryptographic protection mechanisms. The attack vector involves exploiting the chosen cipher mode in a non-default configuration, where an attacker can modify the encrypted data in transit without detection due to insufficient integrity checks or poor handling of authenticated encryption properties, leading to successful cryptographic bypass.
What is the Impact of CVE-2013-5960?
Successful exploitation may allow attackers to bypass cryptographic integrity checks, tamper with encrypted data, or decrypt sensitive information, leading to data manipulation or disclosure.
What is the Exploitability of CVE-2013-5960?
Exploitation of this vulnerability is of high complexity. It requires a non-default configuration of the OWASP ESAPI for Java's symmetric-encryption, specifically regarding the cipher mode used for authenticated encryption. An attacker would need deep cryptographic knowledge to craft an attack against the specific cipher mode. There are no explicit authentication or privilege requirements to trigger the vulnerability, as it targets the integrity of encrypted data, which could be handled in various parts of an application. The attack is remote, involving the modification of intercepted ciphertext. Special conditions include the application's reliance on the vulnerable ESAPI version and its use of the specific problematic configuration. Risk factors include the use of non-standard cryptographic configurations or an over-reliance on ESAPI's default crypto implementations without careful review.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2013-5960?
About the Fix from Resolved Security
This patch adds a check that prevents the percent character (%) from being included in the list of "immune" characters passed to the URL encoding method, explicitly warning that allowing % as immune can break URL encoding and result in unsafe behavior. By ensuring % is always encoded unless specifically required, it prevents attackers from injecting harmful percent-encoded sequences, thus fixing the vulnerability described in CVE-2013-5960.
Available Upgrade Options
- org.owasp.esapi:esapi
- >2.0.0.0, <2.1.0.1 → Upgrade to 2.1.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.securityfocus.com/bid/62415
- http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html
- http://code.google.com/p/owasp-esapi-java/issues/detail?id=306
- http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf
- http://code.google.com/p/owasp-esapi-java/issues/detail?id=306
- https://osv.dev/vulnerability/GHSA-2g56-7jv7-wxxq
- http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html
- https://github.com/ESAPI/esapi-java-legacy
- https://github.com/esapi/esapi-java-legacy/issues/306
- https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt
What are Similar Vulnerabilities to CVE-2013-5960?
Similar Vulnerabilities: CVE-2016-6080 , CVE-2019-10022 , CVE-2020-25656 , CVE-2020-25659 , CVE-2022-37454
