CVE-2022-23457

Published: Apr 25, 2022Modified: Nov 3, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

Affected (8)

Products: Owasp: Enterprise Security Api · Oracle: Weblogic Server · Netapp: Active Iq Unified Manager, Oncommand Workflow Automation

1 product

Enterprise Security Api

1 product

Weblogic Server

2 products

Active Iq Unified Manager

Oncommand Workflow Automation

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Owasp Enterprise Security Api	Before 2.3.0.0

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Oracle Weblogic Server	Version 12.2.1.3.0
Oracle Weblogic Server	Version 12.2.1.4.0
Oracle Weblogic Server	Version 14.1.1.0.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Active Iq Unified Manager	All versions
Netapp Oncommand Workflow Automation	All versions

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (11)

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt

Source: security-advisories@github.com

Release Notes

https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2

Source: security-advisories@github.com

PatchThird Party Advisory

https://security.netapp.com/advisory/ntap-20230127-0014/

Source: security-advisories@github.com

Third Party Advisory

https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/

Source: security-advisories@github.com

ExploitThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Release Notes

https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20230127-0014/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.