Skip to content

2.3.0.0

Compare
Choose a tag to compare
@kwwall kwwall released this 17 Apr 23:50
· 289 commits to develop since this release
esapi-2.3.0.0
7797bc3

Full release notes for ESAPI release 2.3.0.0 are located at:
https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt

IMPORTANT Note: Because this release of ESAPI fixes several vulnerabilities, it is extremely important that you actually read the FULL release notes and the referenced GitHub Security Advisories. Failure to do so likely will cause previous ESAPI users to miss some critical remediation steps as remediation for CVE-2022-24891 involves more than simply upgrading your dependency to ESAPI 2.3.0.0.

Remediates

Finally, to fully remediate CVE-2022-23891, note that the file "esapi-2.3.0.0-configuration.jar" (see below) contains the default ESAPI configuration files under 'configuration/' (ESAPI.properties, validation.properties, etc.) and the file "esapi-2.3.0.0-configuration.jar.asc" is a GPG signature of that jar file made by 'Kevin W. Wall (GitHub signing key) [email protected]'. You NEED this jar (or a manual change) to get the important update to the antisamy-esapi.xml file.