Vulnerable Library - esapi-2.6.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Library home page: https://owasp.org/www-project-enterprise-security-api/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.6.0.0/esapi-2.6.0.0.jar
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (esapi version) |
Remediation Possible** |
| CVE-2025-48734 |
 High |
8.8 |
commons-beanutils-1.9.4.jar |
Transitive |
2.6.2.0 |
❌ |
| CVE-2025-5878 |
High |
7.3 |
esapi-2.6.0.0.jar |
Direct |
2.7.0.0 |
❌ |
| CVE-2025-46392 |
 Medium |
6.5 |
commons-configuration-1.10.jar |
Transitive |
N/A* |
❌ |
| CVE-2025-48924 |
Medium |
5.3 |
commons-lang-2.6.jar |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-48734
Vulnerable Library - commons-beanutils-1.9.4.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
Dependency Hierarchy:
- esapi-2.6.0.0.jar (Root Library)
- ❌ commons-beanutils-1.9.4.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Publish Date: 2025-05-28
URL: CVE-2025-48734
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wxr5-93ph-8wr9
Release Date: 2025-05-28
Fix Resolution (commons-beanutils:commons-beanutils): 1.11.0
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.6.2.0
Step up your Open Source Security Game with Mend here
CVE-2025-5878
Vulnerable Library - esapi-2.6.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project
to create simple strong security controls for every web platform.
Security controls are not simple to build. You can read about the
hundreds of pitfalls for unwary developers on the OWASP web site. By
providing developers with a set of strong controls, we aim to
eliminate some of the complexity of creating secure web applications.
This can result in significant cost savings across the SDLC.
Library home page: https://owasp.org/www-project-enterprise-security-api/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.6.0.0/esapi-2.6.0.0.jar
Dependency Hierarchy:
- ❌ esapi-2.6.0.0.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.
Publish Date: 2025-06-29
URL: CVE-2025-5878
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hxjw-v2v5-hpcr
Release Date: 2025-06-29
Fix Resolution: 2.7.0.0
Step up your Open Source Security Game with Mend here
CVE-2025-46392
Vulnerable Library - commons-configuration-1.10.jar
Tools to assist in the reading of configuration/preferences files in various formats.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-configuration/commons-configuration/1.10/commons-configuration-1.10.jar
Dependency Hierarchy:
- esapi-2.6.0.0.jar (Root Library)
- ❌ commons-configuration-1.10.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.
There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations.
Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.
Publish Date: 2025-05-09
URL: CVE-2025-46392
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s
Release Date: 2025-05-09
Fix Resolution: commons-configuration:commons-configuration:2.0
Step up your Open Source Security Game with Mend here
CVE-2025-48924
Vulnerable Library - commons-lang-2.6.jar
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
Dependency Hierarchy:
- esapi-2.6.0.0.jar (Root Library)
- commons-configuration-1.10.jar
- ❌ commons-lang-2.6.jar (Vulnerable Library)
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-11
URL: CVE-2025-48924
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2025-07-11
Fix Resolution: https://github.com/apache/commons-lang.git - commons-lang-3.18.0,org.apache.commons:commons-lang3:3.18.0
Step up your Open Source Security Game with Mend here
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: https://owasp.org/www-project-enterprise-security-api/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.6.0.0/esapi-2.6.0.0.jar
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - commons-beanutils-1.9.4.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Improper Access Control vulnerability in Apache Commons.
A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was not enabled by default. PropertyUtilsBean (and consequently BeanUtilsBean) now disallows declared class level property access by default.
Releases 1.11.0 and 2.0.0-M2 address a potential security issue when accessing enum properties in an uncontrolled way. If an application using Commons BeanUtils passes property paths from an external source directly to the getProperty() method of PropertyUtilsBean, an attacker can access the enum’s class loader via the “declaredClass” property available on all Java “enum” objects. Accessing the enum’s “declaredClass” allows remote attackers to access the ClassLoader and execute arbitrary code. The same issue exists with PropertyUtilsBean.getNestedProperty().
Starting in versions 1.11.0 and 2.0.0-M2 a special BeanIntrospector suppresses the “declaredClass” property. Note that this new BeanIntrospector is enabled by default, but you can disable it to regain the old behavior; see section 2.5 of the user's guide and the unit tests.
This issue affects Apache Commons BeanUtils 1.x before 1.11.0, and 2.x before 2.0.0-M2.Users of the artifact commons-beanutils:commons-beanutils
1.x are recommended to upgrade to version 1.11.0, which fixes the issue.
Users of the artifact org.apache.commons:commons-beanutils2
2.x are recommended to upgrade to version 2.0.0-M2, which fixes the issue.
Publish Date: 2025-05-28
URL: CVE-2025-48734
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wxr5-93ph-8wr9
Release Date: 2025-05-28
Fix Resolution (commons-beanutils:commons-beanutils): 1.11.0
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.6.2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - esapi-2.6.0.0.jar
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Library home page: https://owasp.org/www-project-enterprise-security-api/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/owasp/esapi/esapi/2.6.0.0/esapi-2.6.0.0.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.
Publish Date: 2025-06-29
URL: CVE-2025-5878
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hxjw-v2v5-hpcr
Release Date: 2025-06-29
Fix Resolution: 2.7.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-configuration-1.10.jar
Tools to assist in the reading of configuration/preferences files in various formats.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-configuration/commons-configuration/1.10/commons-configuration-1.10.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Uncontrolled Resource Consumption vulnerability in Apache Commons Configuration 1.x.
There are a number of issues in Apache Commons Configuration 1.x that allow excessive resource consumption when loading untrusted configurations or using unexpected usage patterns. The Apache Commons Configuration team does not intend to fix these issues in 1.x. Apache Commons Configuration 1.x is still safe to use in scenario's where you only load trusted configurations.
Users that load untrusted configurations or give attackers control over usage patterns are recommended to upgrade to the 2.x version line, which fixes these issues. Apache Commons Configuration 2.x is not a drop-in replacement, but as it uses a separate Maven groupId and Java package namespace they can be loaded side-by-side, making it possible to do a gradual migration.
Publish Date: 2025-05-09
URL: CVE-2025-46392
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/y1pl0mn3opz6kwkm873zshjdxq3dwq5s
Release Date: 2025-05-09
Fix Resolution: commons-configuration:commons-configuration:2.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-lang-2.6.jar
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Library home page: http://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
Dependency Hierarchy:
Found in HEAD commit: 985d4a71b0cc06b07e4e37fda7739bbfc0dfc733
Found in base branch: master
Vulnerability Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-07-11
URL: CVE-2025-48924
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2025-07-11
Fix Resolution: https://github.com/apache/commons-lang.git - commons-lang-3.18.0,org.apache.commons:commons-lang3:3.18.0
Step up your Open Source Security Game with Mend here