CVE-2022-24891
Cross-Site Scripting (XSS) vulnerability in esapi (Maven)
What is CVE-2022-24891 About?
ESAPI contains a potential Cross-Site Scripting (XSS) vulnerability caused by an incorrect regular expression for "onsiteURL" in `antisamy-esapi.xml`. This flaw allows URLs with the "javascript:" scheme to bypass sanitization, enabling XSS attacks. Exploitation is relatively easy if the specific misconfiguration is present.
Affected Software
Technical Details
The XSS vulnerability in ESAPI arises from an improperly configured regular expression for "onsiteURL" within the antisamy-esapi.xml configuration file. The regex is intended to sanitize URLs but fails to correctly identify and neutralize URLs using the javascript: scheme. An attacker can craft a malicious URL, such as javascript:alert(document.domain), and if this URL is processed by ESAPI using the flawed regex, it will not be properly sanitized. Consequently, when this unsanitized URL is rendered in a web page (e.g., in an <a> tag's href attribute), the malicious JavaScript code will execute in the victim's browser, leading to an XSS attack.
What is the Impact of CVE-2022-24891?
Successful exploitation may allow attackers to inject arbitrary web scripts in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2022-24891?
Exploitation of this XSS vulnerability is of low to moderate complexity. The primary prerequisite is that the application uses ESAPI with a version prior to 2.3.0.0 and has the antisamy-esapi.xml configuration file with the incorrect "onsiteURL" regular expression. No specific authentication is required to trigger the XSS if the application accepts and displays untrusted user input that can contain the malicious JavaScript URL. The attack is remote, involving an attacker submitting a specially crafted URL that is subsequently rendered unsanitized by the vulnerable ESAPI configuration. The presence of the flawed regex is the key condition that makes exploitation possible.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2022-24891 |
What are the Available Fixes for CVE-2022-24891?
Available Upgrade Options
- org.owasp.esapi:esapi
- <2.3.0.0 → Upgrade to 2.3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-24891
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf
- https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
- https://security.netapp.com/advisory/ntap-20230127-0014
- https://security.netapp.com/advisory/ntap-20230127-0014/
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
- https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q
What are Similar Vulnerabilities to CVE-2022-24891?
Similar Vulnerabilities: CVE-2022-23647 , CVE-2022-2218 , CVE-2021-41183 , CVE-2021-41193 , CVE-2021-32640
