CVE-2022-23457

Name of the Vulnerable Software and Affected Versions ESAPI versions prior to 2.3.0.0

Description The default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.

Recommendations For versions prior to 2.3.0.0, update to version 2.3.0.0 or later to resolve the issue. As a temporary workaround, consider writing one's own implementation of the Validator interface by sub-classing a version of the affected DefaultValidator class and then overriding the affected getValidDirectoryPath() to correct the issue. However, this is not recommended.