CVE-2022-24891 Overview
CVE-2022-24891 is a Cross-Site Scripting (XSS) vulnerability affecting OWASP ESAPI (Enterprise Security API), a widely used open-source web application security control library. The vulnerability exists in versions prior to 2.3.0.0 due to an incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configuration file. This flaw allows javascript: URLs to bypass the sanitization process, enabling attackers to inject malicious scripts into web applications that rely on ESAPI for input validation.
Critical Impact
Applications using vulnerable ESAPI versions may be susceptible to XSS attacks, allowing attackers to execute arbitrary JavaScript in users' browsers, potentially leading to session hijacking, credential theft, or defacement.
Affected Products
- OWASP Enterprise Security API (versions prior to 2.3.0.0)
- Oracle WebLogic Server (versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0)
- NetApp Active IQ Unified Manager (Linux, VMware vSphere, Windows)
- NetApp OnCommand Workflow Automation
Discovery Timeline
- April 27, 2022 - CVE-2022-24891 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2022-24891
Vulnerability Analysis
The vulnerability stems from a flawed regular expression pattern used to validate on-site URLs within the AntiSamy component of ESAPI. The antisamy-esapi.xml configuration file contains regex patterns designed to sanitize user input and prevent XSS attacks. However, the regular expression for the "onsiteURL" directive fails to properly identify and block javascript: protocol URLs.
When a web application processes user-supplied URLs through ESAPI's validation routines, the defective regex pattern allows certain malformed javascript: URLs to pass through the sanitization filter. This creates an opportunity for attackers to inject executable JavaScript code into the application, which will then be rendered in victims' browsers.
The vulnerability is particularly concerning because ESAPI is explicitly designed as a security library. Developers integrating ESAPI into their applications expect it to protect against XSS attacks, making this bypass especially dangerous as it undermines the security assumptions of the application.
Root Cause
The root cause is an incorrect regular expression pattern in the antisamy-esapi.xml configuration file. The "onsiteURL" regex was designed to match and allow legitimate site URLs while blocking potentially dangerous protocols. However, the pattern did not account for all variations of javascript: URL encoding or formatting, allowing certain payloads to evade detection.
The AntiSamy library uses these regex patterns during HTML sanitization to determine which URL schemes are safe. When the pattern fails to match a malicious URL, it may be incorrectly classified as safe and passed through to the output without proper encoding or rejection.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript code that bypasses the flawed regex pattern. The attack scenario typically involves:
- The attacker identifies a web application using a vulnerable version of ESAPI for input sanitization
- The attacker crafts a specially formatted javascript: URL that evades the "onsiteURL" regex pattern
- The malicious URL is submitted to the application through a form field, URL parameter, or other input mechanism
- ESAPI's antisamy module processes the input but fails to sanitize the malicious URL
- The unsanitized URL is rendered in the victim's browser, executing the attacker's JavaScript code
The vulnerability requires the victim to interact with the malicious content, such as clicking a link or viewing a page containing the injected script. Once executed, the attacker's script runs with the same privileges as the legitimate application code in the victim's browser context.
Detection Methods for CVE-2022-24891
Indicators of Compromise
- Unusual JavaScript execution patterns in web application logs that include encoded javascript: protocol handlers
- HTTP requests containing obfuscated or unusual URL-encoded sequences targeting input fields processed by ESAPI
- Web application firewall logs showing attempted XSS payloads that bypass standard sanitization
- User reports of unexpected browser behavior or redirects when interacting with application forms
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block javascript: protocol variations in URL parameters and form inputs
- Enable detailed logging for ESAPI validation operations to identify sanitization bypass attempts
- Conduct regular code audits to identify applications using vulnerable ESAPI versions (prior to 2.3.0.0)
- Deploy runtime application self-protection (RASP) solutions to detect anomalous script execution patterns
Monitoring Recommendations
- Monitor web server access logs for URL patterns containing encoded or obfuscated javascript: strings
- Configure security information and event management (SIEM) alerts for XSS attack signatures specific to ESAPI bypass techniques
- Implement Content Security Policy (CSP) headers and monitor for violations that may indicate exploitation attempts
- Review browser console errors and CSP violation reports for signs of blocked script injection
How to Mitigate CVE-2022-24891
Immediate Actions Required
- Upgrade ESAPI to version 2.3.0.0 or later, which contains the corrected regular expression pattern
- Review and audit all applications using ESAPI to identify affected deployments
- Implement additional input validation layers as defense-in-depth while upgrades are scheduled
- Apply vendor patches for Oracle WebLogic Server and NetApp products as documented in their respective security advisories
Patch Information
The vulnerability is addressed in ESAPI version 2.3.0.0. Organizations should upgrade to this version or later to remediate the vulnerability. Detailed information about the fix is available in the ESAPI Release Notes 2.3.0.0 and the GitHub Security Advisory GHSA-q77q-vx4q-xx6q.
For Oracle WebLogic Server deployments, refer to the Oracle Security Alert CPU July 2022 for applicable patches. NetApp customers should review the NetApp Security Advisory NTAP-20230127-0014 for guidance on affected products.
Workarounds
- Manually edit the antisamy-esapi.xml configuration file to correct the "onsiteURL" regular expression as detailed in the maintainers' security bulletin
- Implement Content Security Policy (CSP) headers that restrict inline script execution and limit script sources to trusted domains
- Add application-level URL validation that explicitly blocks javascript: protocol URLs before passing input to ESAPI
- Deploy a web application firewall with rules specifically targeting javascript: URL variations to provide an additional layer of protection
# Verify ESAPI version in Maven project
mvn dependency:tree | grep esapi
# Check for vulnerable versions in Gradle projects
gradle dependencies | grep esapi
# Locate antisamy-esapi.xml configuration files for manual review
find /path/to/application -name "antisamy-esapi.xml" -type f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
