Hello,
We use SAML addon 0.4.1 in our application. With the default version of esapi library we get the following vulnerability found by security scanner:
CVE-2022-23457 9.8 org.owasp.esapi:esapi 2.1.0.1
When try to upgrade version to the esapi 2.2.0.0 getting again the following list of vulnerabilities:
Scanner1:
esapi (2.2.0.0) - 2 vulnerabilities: GHSA-7c2q-5qmr-v76q, GHSA-8m5h-hrqm-pxm2
Scanner2:
esapi (2.2.0.0) - CVE-2022-23457
When try to upgrade library version to the 2.4.0.0 then getting the following exception:
org.owasp.esapi.errors.ConfigurationException: java.lang.ClassNotFoundException: org.owasp.esapi.reference.JavaLogFactory LogFactory class (org.owasp.esapi.reference.JavaLogFactory) must be in class path.
org.owasp.esapi.util.ObjFactory.make(ObjFactory.java:108)
org.owasp.esapi.ESAPI.logFactory(ESAPI.java:139)
org.owasp.esapi.ESAPI.getLogger(ESAPI.java:155)
Could you please clarify what can be done to continue using SAML in the application and resolve vulnerability in esapi?