CVE-2022-23457

HIGH

OWASP Enterprise Security API < 2.3.0.0 - Path Traversal via Validator.getValidDirectoryPath

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2022-23457. PoCs published by dawetmaster, andikahilmy, shoucheng3.

AI-analyzed exploit summary This repository appears to be a fork of the OWASP ESAPI Java Legacy project with no exploit code or technical analysis related to CVE-2022-23457. It contains build configurations, documentation, and examples but lacks any PoC or vulnerability details.

Description

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

Exploits (3)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2022-23457-esapi-java-legacy-vulnerable

This repository appears to be a fork of the OWASP ESAPI Java Legacy project with no exploit code or technical analysis related to CVE-2022-23457. It contains build configurations, documentation, and examples but lacks any PoC or vulnerability details.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: OWASP ESAPI Java Legacy
No auth needed
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec STUB
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2022-23457-esapi-java-legacy-vulnerable

This repository appears to be a fork of the OWASP ESAPI Java Legacy project with no explicit exploit code or technical analysis related to CVE-2022-23457. It contains build configurations, documentation, and example scripts but lacks functional exploit PoC or vulnerability details.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: OWASP ESAPI Java Legacy
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/ESAPI__esapi-java-legacy_CVE-2022-23457_2-2-3-1

This repository contains the OWASP ESAPI (Enterprise Security API) for Java (Legacy) project documentation and source code. It does not include an exploit PoC but provides context around the CVE-2022-23457 vulnerability in the ESAPI library.

Classification
Writeup 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: OWASP ESAPI for Java (Legacy) versions up to 2.2.3.0
No auth needed
Prerequisites: Access to the vulnerable ESAPI library
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 7.5
EPSS 0.0055
EPSS Percentile 68.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (7)
netapp/active_iq_unified_manager (3 CPE variants)
netapp/oncommand_workflow_automation
oracle/weblogic_server 12.2.1.3.0
oracle/weblogic_server 12.2.1.4.0
oracle/weblogic_server 14.1.1.0.0
org.owasp.esapi/esapi 0 - 2.3.0.0Maven
owasp/enterprise_security_api < 2.3.0.0
Published Apr 25, 2022
Tracked Since Feb 18, 2026