An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04bTVoLWhycW0tcHhtMs1BTQ

Path traversal in the OWASP Enterprise Security API


The default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path.


This vulnerability is patched in release of ESAPI. See for details.


Yes; in theory, one could write the own implementation of the Validator interface. This would most easily be done by sub-classing a version of the affected DefaultValidator class and then overriding the affected getValidDirectoryPath() to correct the issue. However, this is not recommended.

For more information

If you have any questions or comments about this advisory:

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-8m5h-hrqm-pxm2, CVE-2022-23457
References: Repository:
Blast Radius: 23.8

Affected Packages

Dependent packages: 106
Dependent repositories: 1,483
Affected Version Ranges: <=
Fixed in:
All affected versions:
All unaffected versions: 2.0.1, 2.1.0