CVE-2025-5878

| EUVD-2025-28693 HIGH
2025-06-29 [email protected]
7.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 16, 2026 - 01:15 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 01:15 euvd
EUVD-2025-28693
CVE Published
Jun 29, 2025 - 12:15 nvd
HIGH 7.3

Tags

Java SQLi Ubuntu Debian

Description

A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.

Analysis

A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks.

Technical Context

SQL injection occurs when user-supplied input is incorporated into SQL queries without proper sanitization or parameterized queries. This vulnerability is classified as Improper Input Validation (CWE-20).

Affected Products

Affected: ESAPI esapi-java-legacy and classified as problematic

Remediation

Use parameterized queries or prepared statements. Apply input validation and escape special characters. Implement least-privilege database accounts.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.2
CVSS: +36
POC: 0

Vendor Status

Ubuntu

Priority: Medium
libowasp-esapi-java
Release Status Version
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
plucky ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1109378
libowasp-esapi-java
Release Status Fixed Version Urgency
bullseye fixed 2.4.0.0-0+deb11u1 -
bullseye (security) fixed 2.4.0.0-0+deb11u1 -
bookworm vulnerable 2.4.0.0-2 -
forky, sid, trixie vulnerable 2.4.0.0-2.1 -
(unstable) fixed (unfixed) -
DLA-4246-1

Share

CVE-2025-5878 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy