Dealing with Security Vulnerabilities CVE-2023-26119 #321
Comments
|
Sigh. It would be nice if they could delay dropping these bombshells until the verify that the new version is actually in Maven Central. I just try to exclude it from ESAPI's direct dependency on AntiSamy and pull it in as a direct dependency and got this error message: The good news is the htmlunit-neko commit ID mentioned looks like it only affects the |
The new version is indeed in the maven warehouse, but the groupid has changed. |
|
Thanks. Just noticed that. That's probably something they should note in the CVE.
@ChenyuWang98 - Looks like they may have done more than just change the <groupID> as part of the GAV. It appears as though there were major revisions from 2.70.0 to 3.0.0, such as changes to the package names from 'net.sourceforge.htmlunit' to 'org.htmlunit', which means I just can't simply exclude it from AntiSamy and pull it into ESAPI directly.
First step is to have AntiSamy team determine if the CVE is exploitable via AntiSamy. With any luck, it's not and the only concern is keeping the SCA tools from complaining that the sky is falling. It is it exploitable, it may take a while to change, depending on how much else they've reorganized things.
|
In addition, it is not that there is no problem if it is not used. Many tests will not pass as long as it is carried. So I hope you can upgrade and publish as soon as possible. |
|
@ChenyuWang98 - You wrote:
Are you referring to SCA related tests or unit tests or exactly what? As per @planetlevel, at least 3/4's of the SCA complaints are about things that are not even reachable and while I've not done any scientific analysis of the data like Contrast Security has, that certainly agrees with my intuition and personal experience in supporting ESAPI. |
|
Our integration tests are using https://github.com/jeremylong/DependencyCheck. It will not ignore this security issue just because the third-party library is not currently used. And you can only promise verbally that you won't use it. Upgrading seems to be the best solution once and for all when there is already a third-party library version that can solve the security hole. |
|
@ChenyuWang98 - Actually, with Dependency Check, if you know something is a false positive, you can create a suppression.xml file to suppress those. ESAPI does that on a few. That's documented with the Dependency Check wiki pages and I think there's a way to generate it straight from your browser while viewing a Dependency Check report. Of course, you should wait for the AntiSamy folks to verify that it indeed is not exploitable though before deciding to suppress it. |
|
Release 1.7.3 was just released that remediates this. |
|
And I just updated our pom to use AntiSamy 1.7.3 to address this in PR ESAPI/esapi-java-legacy#784 to address this. |
|
Thank you for your efforts. The maven warehouse does not seem to have the latest 1.7.3 version yet. Where can I use the latest version. |
|
It sometimes takes a while to show up
In some cases, it never shows up in the search even though you can
download it from the repository.
That said, I've been trying to do an ESAPI 2.5.2.0 release and it doesn't
seem to be working.
…-kevin
On Wed, Apr 12, 2023, 9:52 PM Chenyu Wang ***@***.***> wrote:
The maven warehouse does not seem to have the latest 1.7.3 version yet. I
can use the latest version from there.
—
Reply to this email directly, view it on GitHub
<#321 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAO6PG6QTEWIGRTOIES4MLTXA5L4RANCNFSM6AAAAAAWYO74UM>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
It's available: https://repo1.maven.org/maven2/org/owasp/antisamy/antisamy/1.7.3/ here. But currently, when you 'search' for it, you only see 1.7.2. |
|
Thank you so much
|
https://nvd.nist.gov/vuln/detail/CVE-2023-26119
Need to upgrade neko-htmlunit to 3.0.0
https://github.com/HtmlUnit/htmlunit-neko
The text was updated successfully, but these errors were encountered: