CVE-2022-23457

Path traversal in the OWASP Enterprise Security API in maven/org.owasp.esapi/esapi

Identifiers

CVE-2022-23457, GHSA-8m5h-hrqm-pxm2

Package Slug

maven/org.owasp.esapi/esapi

Vulnerability

Path traversal in the OWASP Enterprise Security API

Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

Affected Versions

All versions before 2.3.0.0

Solution

Upgrade to version 2.3.0.0 or above.

Last Modified

2022-05-01

source