ESAPI 2.5.0.0 blackduck vulnerability found CVE-2022-38648

[Evo-AndersonZaks]

According to the results I see, ESAPI 2.5.0.0 depends on antisamy 1.7.0 which depends on Org.apache.xmlgraphics:batik-css:1.14. Updating to the latest ESAPI won't fix this or at least, that is not mentioned in any release notes I can see

Can some kind person (the authors?) confirm this or otherwise, tell me what version to update to ? Many thanks...

[kwwall]

@Evo-AndersonZaks - The current latest official ESAPI release, as of 2023-10-16, is 2.5.2.0 which uses AntiSamy 1.7.3, which in turn uses org.apache.xmlgraphics:batik-css:jar:1.16. The NVD entry for the CVE you mentioned states "This issue affects Apache XML Graphics Batik 1.14", so I presume that would make that particular BlackDuck complaint about this CVE happy. As a general rule, we do not comment on updates to transitive dependencies unless we have reason to believe the presented an exploitable path to ESAPI users, which is rarely the case.

That said, I am currently working on a 2.5.3.0 ESAPI release what will update to AntiSamy 1.7.4 that addresses thishttps://github.com/nahsra/antisamy/security/advisories/GHSA-pcf2-gh6g-h5r2?cve=title and the CVE associated with it. ESAPI's default antisamy-esapi.xml AntiSamy policy file is not subject to this XSS vulnerability because ESAPI's AntiSamy policy file is much stricter than those delivered with AntiSamy. Unfortunately, I seemed to have picked up a flu-bug last week and am trying to fight through that, so the new 2.5.3.0 is taking a lot longer than desired.