CVE-2013-5960 : The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ES

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Published 2013-09-30 17:09:26

Updated 2019-02-04 16:33:02

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2013-5960

Probability of exploitation activity in the next 30 days: 0.45%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2013-5960

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:N	8.6	4.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None

CWE ids for CVE-2013-5960

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-5960

http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

[Esapi-dev] ESAPI Java and Authenticated encryption implementation
Exploit

CVEs referencing this url
https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt

esapi-java-legacy/esapi4java-core-2.1.0.1-release-notes.txt at master · ESAPI/esapi-java-legacy · GitHub
Release Notes;Third Party Advisory
http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf

Error 404 (Not Found)!!1
Patch;Vendor Advisory

CVEs referencing this url
https://github.com/ESAPI/esapi-java-legacy/issues/359

CodecTest unit tests never test with a populated char array. · Issue #359 · ESAPI/esapi-java-legacy · GitHub
Issue Tracking;Third Party Advisory
http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

Canonicalizing "%Device% changes the meaning of the input string · Issue #306 · ESAPI/esapi-java-legacy · GitHub
Exploit

CVEs referencing this url
https://github.com/esapi/esapi-java-legacy/issues/306

Canonicalizing "%Device% changes the meaning of the input string · Issue #306 · ESAPI/esapi-java-legacy · GitHub
Issue Tracking;Third Party Advisory
http://www.securityfocus.com/bid/62415

OWASP ESAPI CBC Mode HMAC Authentication Bypass Vulnerability
Third Party Advisory;VDB Entry

CVEs referencing this url

Products affected by CVE-2013-5960

Owasp » Enterprise Security Api
Versions from including (>=) 2.0 and before (<) 2.1.0.1
cpe:2.3:a:owasp:enterprise_security_api:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-5960

Exploit prediction scoring system (EPSS) score for CVE-2013-5960

CVSS scores for CVE-2013-5960

CWE ids for CVE-2013-5960

References for CVE-2013-5960

Products affected by CVE-2013-5960