ID CVE-2013-5960
Summary The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.
References
Vulnerable Configurations
  • cpe:2.3:a:owasp:enterprise_security_api:2.0:-:*:*:*:*:*:*
    cpe:2.3:a:owasp:enterprise_security_api:2.0:-:*:*:*:*:*:*
  • cpe:2.3:a:owasp:enterprise_security_api:2.0:rc10:*:*:*:*:*:*
    cpe:2.3:a:owasp:enterprise_security_api:2.0:rc10:*:*:*:*:*:*
  • cpe:2.3:a:owasp:enterprise_security_api:2.0:rc11:*:*:*:*:*:*
    cpe:2.3:a:owasp:enterprise_security_api:2.0:rc11:*:*:*:*:*:*
  • cpe:2.3:a:owasp:enterprise_security_api:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:owasp:enterprise_security_api:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:owasp:enterprise_security_api:2.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:owasp:enterprise_security_api:2.1.0:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 04-02-2019 - 16:33)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
refmap via4
bid 62415
confirm
mlist [esapi-dev] 20130821 ESAPI Java and Authenticated encryption implementation
Last major update 04-02-2019 - 16:33
Published 30-09-2013 - 17:09
Last modified 04-02-2019 - 16:33
Back to Top