{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-11T13:56:37.609","vulnerabilities":[{"cve":{"id":"CVE-2022-23457","sourceIdentifier":"security-advisories@github.com","published":"2022-04-25T20:15:41.870","lastModified":"2025-11-03T20:15:52.767","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this."},{"lang":"es","value":"ESAPI (The OWASP Enterprise Security API) es una biblioteca de control de seguridad de aplicaciones web gratuita y de código abierto. En versiones anteriores a 2.3.0.0, la implementación por defecto de \"Validator.getValidDirectoryPath(String, String, File, boolean)\" puede tratar incorrectamente la cadena de entrada comprobada como un hijo del directorio padre especificado. Esto podría permitir que las comprobaciones de omisión de flujo de control sean derrotadas si un ataque puede especificar toda la cadena que representa la ruta \"input\". Esta vulnerabilidad está parcheada en versión 2.3.0.0 de ESAPI. Como medida de mitigación, es posible escribir una implementación propia de la interfaz del validador. Sin embargo, los mantenedores no lo recomiendan"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:owasp:enterprise_security_api:*:*:*:*:*:*:*:*","versionEndExcluding":"2.3.0.0","matchCriteriaId":"3D4C0C85-ADA3-4785-AF52-18EC1C19F8AC"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*","matchCriteriaId":"F14A818F-AA16-4438-A3E4-E64C9287AC66"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*","matchCriteriaId":"4A5BB153-68E0-4DDA-87D1-0D9AB7F0A418"},{"vulnerable":true,"criteria":"cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*","matchCriteriaId":"04BCDC24-4A21-473C-8733-0D9CFB38A752"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*","matchCriteriaId":"F3E0B672-3E06-4422-B2A4-0BD073AEC2A1"},{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*","matchCriteriaId":"3A756737-1CC4-42C2-A4DF-E1C893B4E2D5"},{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*","matchCriteriaId":"B55E8D50-99B4-47EC-86F9-699B67D473CE"},{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*","matchCriteriaId":"5735E553-9731-4AAC-BCFF-989377F817B3"}]}]}],"references":[{"url":"https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://security.netapp.com/advisory/ntap-20230127-0014/","source":"security-advisories@github.com","tags":["Third Party Advisory"]},{"url":"https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes"]},{"url":"https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/07/msg00010.html","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://security.netapp.com/advisory/ntap-20230127-0014/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"]},{"url":"https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]}]}}]}