VulnerableCode Package Details - pkg:maven/org.owasp.esapi/esapi@2.2.0.0-RC2

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:maven/org.owasp.esapi/esapi@2.2.0.0-RC2

Essentials
History (4)

purl	pkg:maven/org.owasp.esapi/esapi@2.2.0.0-RC2

Next non-vulnerable version	2.6.0.0
Latest non-vulnerable version	2.6.0.0
Risk	4.0

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-5gp7-nrrf-rqft Aliases: GHSA-r68h-jhhj-9jvm GMS-2023-4888	Duplicate This advisory duplicates another.	2.6.0.0 Affected by 0 other vulnerabilities.
VCID-7fzb-kbs3-ffdm Aliases: CVE-2022-23457 GHSA-8m5h-hrqm-pxm2	Path traversal in the OWASP Enterprise Security API The default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.	2.3.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-tf97-ymu1-qkc6 Aliases: GHSA-7c2q-5qmr-v76q GMS-2023-3933	DoS vulnerabilities persist in ESAPI file uploads despite remediation of CVE-2023-24998 ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI `HTTPUtilities.getFileUploads` methods (or more specifically those methods in the `DefaultHTTPUtilities` implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.	2.5.2.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-vjjh-ajqh-kffb Aliases: CVE-2022-24891 GHSA-q77q-vx4q-xx6q	Cross-site Scripting in org.owasp.esapi:esapi There is a potential for an XSS vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configuration file that can cause URLs with the "javascript:" scheme to NOT be sanitized. See the reference below for full details.	2.3.0.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T07:43:17.574496+00:00	GitLab Importer	Affected by	VCID-5gp7-nrrf-rqft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.owasp.esapi/esapi/GHSA-r68h-jhhj-9jvm.yml	38.6.0
2026-06-01T07:41:28.141704+00:00	GitLab Importer	Affected by	VCID-tf97-ymu1-qkc6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.owasp.esapi/esapi/GMS-2023-3933.yml	38.6.0
2026-06-01T06:36:47.059441+00:00	GitLab Importer	Affected by	VCID-vjjh-ajqh-kffb	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.owasp.esapi/esapi/CVE-2022-24891.yml	38.6.0
2026-06-01T06:36:45.998070+00:00	GitLab Importer	Affected by	VCID-7fzb-kbs3-ffdm	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.owasp.esapi/esapi/CVE-2022-23457.yml	38.6.0