Validator.isValidSafeHTML() is vulnerable as per CVE-2023-4780

[Adwait-Joshi94]

Hi Team,

Our organization has filed security finding in our application because of usagae of ESAPI open source library in our application. Based on investigation, finding is filed because of CVE-2023-4780, presence of method Validator.isValidSafeHTML(). As per GHSA-r68h-jhhj-9jvm , this method will be deleted in next one year. We would like to know in which release this method will be deleted and if there is any short term remediation through which we can resolve this finding?

Thanks,
Adwait Joshi

[jeremiahjstacey]

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin12.pdf

Security Bulletin should provide information being requested.

[kwwall]

Two things to note:

1. One year is up and the Validator.isValidSafeHTML methods are being deleted in ESAPI release 2.6.0.0, which should be released today (11/25/2024) or tomorrow.
2. The CVE mentioned above CVE-2023-4780 has nothing to do with ESAPI. Near as I can tell based on https://cvefeed.io/vuln/detail/CVE-2023-4780, that CVE was rejected and it has to do with anything, it has to do with an authentication bypass in some Cisco VPN product. As far as I'm aware, no CVE was filed for this. (This was discussed with the CNA, GitHub, and the agreed that a CVE was mostly pointless because we were not able to immediately fix it without potentially sever code breakage. Therefore, we allowed a 1 year grace period where we deprecated the method first.)

[kwwall]

This is now fixed as part of the 2.6.0.0 release.