CVE-2022-23457
Control-flow bypass vulnerability in esapi (Maven)
What is CVE-2022-23457 About?
This vulnerability is a control-flow bypass issue in `Validator.getValidDirectoryPath` that allows incorrect treatment of input strings. This can lead to the defeat of security checks, potentially enabling malicious directory path manipulation. While requiring specific input, exploitation is moderately easy given the direct impact on validation logic.
Affected Software
Technical Details
The vulnerability resides in the default implementation of Validator.getValidDirectoryPath(String, String, File, boolean). It incorrectly interprets certain input strings as valid child paths of a specified parent directory. An attacker can craft an input string that fully represents the 'input' path, effectively bypassing intended control-flow checks. This allows the attacker to manipulate the directory path that the system believes it is operating on, potentially leading to unauthorized file system access or manipulation, by subverting the directory validation logic that is meant to restrict path traversal.
What is the Impact of CVE-2022-23457?
Successful exploitation may allow attackers to bypass security checks, gain unauthorized access to file system resources, or manipulate application control flow, potentially leading to data breaches or system compromise.
What is the Exploitability of CVE-2022-23457?
Exploitation of this vulnerability involves crafting a specific input string to the getValidDirectoryPath() method. The complexity is moderate, requiring an understanding of how the method parses and validates directory paths. No specific authentication or high privilege levels are explicitly mentioned as prerequisites, suggesting it could be exploited by an authenticated or unauthenticated attacker who can control the input to the affected function. Access type is likely remote if the vulnerable function is exposed via a web application or API. The primary constraint is the ability to fully specify the input path string, which, if achieved, makes the exploit straightforward. Risk factors include applications that accept user-supplied directory paths without robust validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2022-23457 |
What are the Available Fixes for CVE-2022-23457?
About the Fix from Resolved Security
The patch replaces a simple string-based validation with a more robust check that walks up the directory hierarchy to ensure the target directory is truly a subdirectory of the intended parent, using canonical file paths. This fix addresses CVE-2022-23457 by eliminating the possibility of path traversal attacks through path manipulation (e.g., using similar prefixes like "/var/app" and "/var/app-evil") that could previously bypass the string-prefix check.
Available Upgrade Options
- org.owasp.esapi:esapi
- <2.3.0.0 → Upgrade to 2.3.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2
- https://nvd.nist.gov/vuln/detail/CVE-2022-23457
- https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API
- https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt
- https://github.com/ESAPI/esapi-java-legacy
- https://security.netapp.com/advisory/ntap-20230127-0014
- https://security.netapp.com/advisory/ntap-20230127-0014/
- https://osv.dev/vulnerability/GHSA-8m5h-hrqm-pxm2
- https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2
What are Similar Vulnerabilities to CVE-2022-23457?
Similar Vulnerabilities: CVE-2023-28102 , CVE-2021-3807 , CVE-2020-13775 , CVE-2019-1002000 , CVE-2018-19787
