owasp enterprise-security-api CVE-2022-23457 vulnerability in OWASP and Other Products
Published on April 25, 2022

Path Traversal in ESAPI

product logo product logo product logo
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

Github Repository Github Repository Github Repository NVD

Vulnerability Analysis

CVE-2022-23457 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-23457. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2022-23457 has been classified to as a Directory traversal vulnerability or weakness.


Products Associated with CVE-2022-23457

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-23457 are published in these products:

OWASP Enterprise Security Api
 
Oracle Weblogic Server
 
NetApp Oncommand Workflow Automation
 
NetApp Active Iq Unified Manager
 

Affected Versions

OWASP ESAPI org.owasp.esapi:esapi:

Vulnerable Packages

The following package name and versions may be associated with CVE-2022-23457

Package Manager Vulnerable Package Versions Fixed In
maven com.amazonaws:aws-java-sdk-s3 < 1.12.261 1.12.261
maven org.owasp.esapi:esapi <= 2.2.3.1 2.3.0.0
maven ca.uhn.hapi.fhir:org.hl7.fhir.core < 5.6.106 5.6.106
maven ca.uhn.hapi.fhir:org.hl7.fhir.convertors < 5.6.106 5.6.106
maven ca.uhn.hapi.fhir:org.hl7.fhir.r4b < 5.6.106 5.6.106
maven ca.uhn.hapi.fhir:org.hl7.fhir.r5 < 5.6.106 5.6.106
maven ca.uhn.hapi.fhir:org.hl7.fhir.utilities < 5.6.106 5.6.106
maven ca.uhn.hapi.fhir:org.hl7.fhir.validation < 5.6.106 5.6.106

Exploit Probability

EPSS
0.39%
Percentile
59.38%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.