CVE-2022-23457: 
Java vulnerability analysis and mitigation

CVE-2022-23457 affects ESAPI (The OWASP Enterprise Security API), a free, open source, web application security control library. The vulnerability was discovered in versions prior to 2.3.0.0, where the default implementation of Validator.getValidDirectoryPath(String, String, File, boolean) could incorrectly treat the tested input string as a child of the specified parent directory. The vulnerability was discovered by GitHub Security Lab researcher Jaroslav Lobačevski and was disclosed on January 31, 2022, with a fix released on April 17, 2022 (GitHub Advisory).

The vulnerability stems from an implementation flaw in the getValidDirectoryPath method where if the result of parent.getCanonicalPath() is not slash terminated, it allows for partial path traversal. For example, '/usr/outnot'.startsWith('/usr/out') would pass the validation check even though 'outnot' is not under the 'out' directory. The vulnerability has been assigned a CVSS score of 7.5 (HIGH) with the vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could allow an attacker to break out of the expected directory structure. This potentially could allow control-flow bypass checks to be defeated if an attacker can specify the entire string representing the 'input' path, leading to unauthorized access to files outside the intended directory (GitHub Advisory).

The vulnerability has been patched in ESAPI version 2.3.0.0. While it is theoretically possible to write a custom implementation of the Validator interface by sub-classing the affected DefaultValidator class and overriding the affected getValidDirectoryPath() method, this approach is not recommended by the maintainers. The best mitigation is to upgrade to ESAPI version 2.3.0.0 or later (GitHub Advisory).