CVE-2013-5679

Published Sep 30, 2013

Last updated 9 years ago

Overview

Description: The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.
Source: cve@mitre.org
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 2.6
Impact score: 4.9
Exploitability score: 1.9
Vector string: AV:L/AC:H/Au:N/C:P/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-310

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:owasp:enterprise_security_api:2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0B74D8CC-CA37-4F81-8E97-C2F37FD12AF9"
          },
          {
            "criteria": "cpe:2.3:a:owasp:enterprise_security_api:2.0.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2D9B29AF-E928-457D-ABA4-4D00FA828A34"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Configurations

References