Working on new ESAPI release to update to new AntiSamy 1.7.4 release

[Kevin W. Wall]

AntiSamy just released a new release 1.7.4 yesterday that addresses some CVEs, one in a dependency (batik-css) and another (CVE-2023-43643) in the AntiSamy code base.

So before anyone starts creating GitHub issues for this or starts "screaming at me" that I need to fix it, I just want to tell you that I'm aware. I have also been working with the AntiSamy team for the past 2 months or so and have confirmed that because ESAPI's default AntiSamy policy file is much stricter than any that AntiSamy releases with. As a result, ESAPI is not affected by this XSS vulnerability, CVE-2023-43643. (I have tested ESAPI 2.5.2.0 with all of the new AntiSamy test cases and then some.)

Unfortunately, as of this moment, CVE-2023-43643 is not yet visible in NVD (nor does AntiSamy 1.7.4 show up in Maven Central searches). I would advise you to read the GitHub Advisory on it:

https://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2

Again, this does not affect ESAPI users if you are using our default antisamy-esapi.xml AntiSamy policy file.

-kevin

--

Blog: https://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.