CVE-2013-5960 — MEDIUM (5.8)

Q: How severe is CVE-2013-5960?

CVE-2013-5960 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-5960?

Check the references section above for vendor advisories and patch information. Affected products include: Owasp Enterprise Security Api.

Vulnerability Description

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

CVSS Score

5.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:N

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Owasp	Enterprise Security Api	>= 2.0, < 2.1.0.1

Related Weaknesses (CWE)

CWE-310

References

http://code.google.com/p/owasp-esapi-java/issues/detail?id=306Exploit
http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.htmlExploit
http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-buPatchVendor Advisory
http://www.securityfocus.com/bid/62415Third Party AdvisoryVDB Entry
https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-Release NotesThird Party Advisory
https://github.com/ESAPI/esapi-java-legacy/issues/359Issue TrackingThird Party Advisory
https://github.com/esapi/esapi-java-legacy/issues/306Issue TrackingThird Party Advisory
http://code.google.com/p/owasp-esapi-java/issues/detail?id=306Exploit
http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.htmlExploit
http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-buPatchVendor Advisory
http://www.securityfocus.com/bid/62415Third Party AdvisoryVDB Entry
https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-Release NotesThird Party Advisory
https://github.com/ESAPI/esapi-java-legacy/issues/359Issue TrackingThird Party Advisory
https://github.com/esapi/esapi-java-legacy/issues/306Issue TrackingThird Party Advisory

FAQ

What is CVE-2013-5960?

CVE-2013-5960 is a vulnerability with a CVSS score of 5.8 (MEDIUM). The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with seriali...

How severe is CVE-2013-5960?

CVE-2013-5960 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-5960?

Check the references section above for vendor advisories and patch information. Affected products include: Owasp Enterprise Security Api.