CVE-2022-23457
Description
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the input path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write ones own implementation of the Validator interface. However, maintainers do not recommend this.
Risk Information
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.3.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 12.2.1.4.0 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 14.1.1.0.0 | Windows |
| Vulnerabilities CVE-2022-24891,CVE-2022-23457 are fixed in OWASP-esapi 2.3.0.0 | Windows |
| Multiple Vulnerabilities are affected in Netapp Active Iq Unified Manager 2.3 | Windows |
| Multiple Vulnerabilities are affected in Netapp Oncommand Workflow Automation 2.3 | Windows |
| Vulnerabilities CVE-2022-24891,CVE-2022-23457 are fixed in OWASP-esapi for Linux 2.3.0.0 | Linux |
| CVE-2022-23457 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234