CVE-2022-23457: Path Traversal in ESAPI
First published: Mon Apr 25 2022(Updated: )
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OWASP Enterprise Security API | <2.3.0.0 | |
| Oracle WebLogic Server | =12.2.1.3.0 | |
| Oracle WebLogic Server | =12.2.1.4.0 | |
| Oracle WebLogic Server | =14.1.1.0.0 | |
| Netapp Active Iq Unified Manager Linux | ||
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp OnCommand Workflow Automation |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
- https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2
- https://security.netapp.com/advisory/ntap-20230127-0014/
- https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/
- https://www.oracle.com/security-alerts/cpujul2022.html
Frequently Asked Questions
What is CVE-2022-23457?
CVE-2022-23457 is a vulnerability in the ESAPI (The OWASP Enterprise Security API) library that allows an attacker to manipulate directory paths in an insecure manner.
What is the severity level of CVE-2022-23457?
The severity level of CVE-2022-23457 is critical with a CVSS score of 9.8.
Which software is affected by CVE-2022-23457?
CVE-2022-23457 affects the following software: OWASP Enterprise Security API (up to version 2.3.0.0), Oracle WebLogic Server (version 12.2.1.3.0 and 12.2.1.4.0), Oracle WebLogic Server (version 14.1.1.0.0), Netapp Active Iq Unified Manager, Apple iPadOS, Apple watchOS, and NetApp OnCommand Workflow Automation.
How can an attacker exploit CVE-2022-23457?
An attacker can exploit CVE-2022-23457 by supplying a malicious input string that can be incorrectly treated as a child directory of a specified path, leading to potential directory traversal attacks.
Are there any patches or fixes available for CVE-2022-23457?
Yes, patches and fixes are available for CVE-2022-23457. It is recommended to update to a version of the affected software that includes the fix or apply the necessary security patches provided by the vendor.
- agent/type
- agent/remedy
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/references
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/title
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/owasp
- canonical/owasp enterprise security api
- vendor/oracle
- canonical/oracle weblogic server
- version/oracle weblogic server/12.2.1.3.0
- version/oracle weblogic server/12.2.1.4.0
- version/oracle weblogic server/14.1.1.0.0
- vendor/netapp
- canonical/netapp active iq unified manager linux
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp oncommand workflow automation