USN-8181-1: ESAPI vulnerabilities
Ubuntu DesktopCanonical
USN-8181-1: ESAPI vulnerabilities
Publication date: 16 April 2026
Overview: Several security issues were fixed in ESAPI.
Packages
libowasp-esapi-java - Web application security control library from OWASP
Details
Jaroslav Lobačevski discovered that ESAPI incorrectly validated directory
paths during path verification. An attacker could possibly use this issue
to bypass directory validation checks, leading to control-flow bypass. This
issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS,
and Ubuntu 22.04 LTS. (CVE-2022-23457)
Kevin W. Wall and Sebastian Passaro discovered that ESAPI did not properly
sanitize javascript URLs because of an incorrect regular expression. An
attacker could possibly use this issue to perform a cross-site scripting
attack. This issue only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu
20.04 LTS, and Ubuntu 22.04 LTS. (CVE-2022-24891)
Longlong Gong discovered that ESAPI did not properly neutralize special
elements during SQL injection defense. A remote attacker could possibly use
this issue to perform SQL injection. (CVE-2025-5878)
Update instructions
In general, a standard system update will make all the necessary changes.
The problem can be corrected by updating your system to the following package versions:
24.04 LTS noble
- libowasp-esapi-java – 2.4.0.0-2ubuntu0.1
22.04 LTS jammy
- libowasp-esapi-java – 2.2.3.1-1ubuntu0.1~esm1
- libowasp-esapi-java-doc – 2.2.3.1-1ubuntu0.1~esm1
20.04 LTS focal
- libowasp-esapi-java – 2.1.0-3ubuntu0.20.04.1~esm1
- libowasp-esapi-java-doc – 2.1.0-3ubuntu0.20.04.1~esm1
18.04 LTS bionic
- libowasp-esapi-java – 2.1.0-3ubuntu0.18.04.1~esm1
- libowasp-esapi-java-doc – 2.1.0-3ubuntu0.18.04.1~esm1
16.04 LTS xenial
- libowasp-esapi-java – 2.1.0-2ubuntu0.1~esm1
- libowasp-esapi-java-doc – 2.1.0-2ubuntu0.1~esm1
