ESAPI esapi-java-legacy SQL Injection Defense Bypass Vulnerability in Encoder.encodeForSQL
Vulnerability
A vulnerability allowing SQL injection defense bypass has been identified in the ESAPI library, specifically in the 'esapi-java-legacy' version 2.6.2.0 and prior. The issue arises within the SQL Injection Defense feature, particularly the 'Encoder.encodeForSQL' method. This vulnerability allows attackers to exploit improper handling of special characters, potentially leading to SQL injection attacks. The vulnerability can be exploited remotely, without authentication.
Impact
Exploitation of this vulnerability allows for bypassing SQL injection defenses, potentially leading to successful SQL injection attacks.
Reproduction
The vulnerability can be reproduced by using the 'Encoder.encodeForSQL' method with Oracle's codec or MySQL's ANSI mode. This will bypass the SQL injection defense and allow for SQL injection attacks.
Remediation
Upgrading to ESAPI version 2.7.0.0 addresses this vulnerability. The updated version is available on the ESAPI GitHub releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.