Version 2.5.1.0 still can be used

[bharathmit]

We don't intend to switch to the newest version of esapi jar; we are currently utilizing 2.5.1.0.

We discovered that 2.5.1.0 contains some vulnerabilities in the jars. So, can we still utilize the jar? Also, what is the end of life/support (EOL/EOS) for version 2.5.1.0?

[kwwall]

@bharathmit - As per our security policy, we only support the latest 2.x release. So, 2.5.1.0 is already past end-of-life. Everything except the current release is.

That largely is because:

1. These generally are only point releases and almost always backward compatible with previous versions. (When we are aware that it's not, we mention that in the release notes for that particular version.)
2. The development team for ESAPI consists only of 3 core contributors, all of whom have full time jobs, and thus we do not have the spare cycles to back port fixes for vulnerabilities.
3. Most of the vulnerabilities that are in a given release arise from dependencies, sometimes direct and sometimes transitive dependencies.

So, you really ought to update to ESAPI release 2.5.4.0.

That said, if you don't, you may find this Vulnerability Summary helpful. It references the relevant Security Bulletin that describes if ESAPI is actually impacted (that is, if the vulnerability has an exploitable path via a standard ESAPI configuration) and often, what workarounds are available.