SAML addon security issues

Sviatlana_Hlukhava · February 27, 2026, 11:47am

Hello,

We use SAML addon 0.4.1 in our application. With the default version of esapi library we get the following vulnerability found by security scanner:
CVE-2022-23457 9.8 org.owasp.esapi:esapi 2.1.0.1

When try to upgrade version to the esapi 2.2.0.0 getting again the following list of vulnerabilities:
Scanner1:
esapi (2.2.0.0) - 2 vulnerabilities: GHSA-7c2q-5qmr-v76q, GHSA-8m5h-hrqm-pxm2
Scanner2:
esapi (2.2.0.0) - CVE-2022-23457

When try to upgrade library version to the 2.4.0.0 then getting the following exception:
org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108)
org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)

Could you please clarify what can be done to continue using SAML in the application and resolve vulnerability in esapi?

a.burov · March 3, 2026, 6:57am

Hello Sviatlana,

Regarding the CUBA Platform support status: the free support period was planned to end on 1 March 2025 (Versioning – CUBA Platform), and we later extended it until March 2026 (Jmix 2024 Recap and 2025 Roadmap – Jmix). As of today (3 March 2026), we can only assist via paid services.

About the specific SAML + ESAPI issue: there is no quick universal fix we can provide without reproducing and validating the setup. Depending on your exact project configuration and dependencies, upgrading ESAPI may be possible, but it may also require additional adjustments or may not be compatible in your case.

What we can offer:
• You purchase a 10-hour support package.
• We will use it to analyze your project setup, reproduce the issue, and propose the most reliable remediation path (or a practical workaround) for your environment.

If you would like to proceed, please confirm and we will send the invoice. Once the order is confirmed, please share:
1. CUBA version and SAML add-on version
2. Gradle/Maven dependency tree showing resolved ESAPI version
3. your ESAPI.properties (if customized) and any related security configuration
4. the full stack trace and the scanner output details (CVE/GHSA, detected component path)

Best regards, Alex Burov, Jmix team

Sviatlana_Hlukhava · March 5, 2026, 10:01am

Hello Alex,
Could you please clarify how much does 10-hour support package cost?

a.burov · March 5, 2026, 10:17am

Hello Sviatlana,
please kindly apply to https://store.jmix.io/store/consulting/configure - choose the required amount of hours and your timezone. The number of hours below 20 results in 120$ per hour.

my best regards.

Sviatlana_Hlukhava · March 6, 2026, 2:53pm

Thank you.
Could you please also clarify how much CUBA Platform support costs and if it includes addons support (SAML addon - GitHub - cuba-platform/saml-addon: This component provides a readily available instrument of authentication in any CUBA-based application using SAML open standard. That allows identity provider to pass authorization credentials to your applications - service providers. · GitHub) ?

a.burov · March 16, 2026, 8:18am

Hello Sviatlana,
thanks for your time last week. I am kindly waiting for the next steps to be discussed in the email thread.
Please use my address a.burov@haulmont.com for the communication.