[SECURITY] [DLA 4246-1] libowasp-esapi-java security update

Debian LTS Advisory DLA-4246-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Markus Koschany July 22, 2025 https://wiki.debian.org/LTS Package : libowasp-esapi-java Version : 2.4.0.0-0+deb11u1 CVE ID : CVE-2022-23457 CVE-2022-24891 CVE-2025-5878 Debian Bug : 1010339 1109378 Several security vulnerabilities have been discovered in libowasp-esapi-java, a Java Enterprise Security API. CVE-2022-23457: ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to this update the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. CVE-2022-24891: There is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. CVE-2025-5878: This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. We are not aware of any affected reverse-dependencies in…Read More