CVE-2013-5679

OWASP Enterprise Security API for Java 2.x < 2.1.0 - Authenticated-Encryption Bypass via Null MAC

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-5679. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains a vulnerable version of OWASP ESAPI Java (legacy) with examples demonstrating the CVE-2013-5679 vulnerability, which involves insecure handling of encrypted properties. The code includes functional examples for encrypting/decrypting properties, logging, and data persistence, showcasing the flawed implementation.

Description

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.

Exploits (2)

nomisec WORKING POC

by dawetmaster · poc

https://github.com/dawetmaster/CVE-2013-5679-esapi-java-legacy-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of OWASP ESAPI Java (legacy) with examples demonstrating the CVE-2013-5679 vulnerability, which involves insecure handling of encrypted properties. The code includes functional examples for encrypting/decrypting properties, logging, and data persistence, showcasing the flawed implementation.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: OWASP ESAPI Java (legacy versions affected by CVE-2013-5679)

No auth needed

Prerequisites: Access to the vulnerable ESAPI Java library · Ability to execute Java code in the target environment

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WORKING POC

by andikahilmy · poc

https://github.com/andikahilmy/CVE-2013-5679-esapi-java-legacy-vulnerable

View Code ZIP pw:eip

This repository contains a vulnerable version of OWASP ESAPI Java (legacy) that demonstrates CVE-2013-5679, a cryptographic vulnerability in the EncryptedProperties class. The provided examples and scripts allow users to interact with the flawed encryption mechanisms, showcasing the vulnerability in action.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: OWASP ESAPI Java (legacy versions affected by CVE-2013-5679)

No auth needed

Prerequisites: Access to a system running the vulnerable ESAPI Java version · Ability to execute Java code

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/62415

Various Sources mailing-list x_refsource_mlist

http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html

Exploit x_refsource_confirm

http://code.google.com/p/owasp-esapi-java/issues/detail?id=306

Patch, Vendor Advisory x_refsource_confirm

http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf

Scores

EPSS 0.0005

EPSS Percentile 17.1%

Details

CWE

CWE-310

Status published

Products (3)

org.owasp.esapi/esapi 2.0.0 - 2.1.0Maven

owasp/enterprise_security_api 2.0

owasp/enterprise_security_api 2.0.1

Published Sep 30, 2013

Tracked Since Feb 18, 2026