CVE-2022-23457

high

malware scan detection code search

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.

7.5

cvss high

common vulnerability scoring system v3.1. measures intrinsic severity on a 0-10 scale.

epss 0.0045

exploitation prediction scoring system. probability this vulnerability will be exploited in the wild in the next 30 days.

kev no

cisa known exploited vulnerabilities catalog. confirmed active exploitation.

CVSS 3.1 Common Vulnerability Scoring System v3.1

7.5 / 10

HIGH

exploitability

Attack Vector

Network

Attack Vector (AV:N): exploitable remotely over the network — most dangerous. no physical or adjacent access needed.

Attack Complexity

High

Attack Complexity (AC:H): exploitation requires specific conditions outside the attacker's control (race condition, non-default config, etc).

Privileges Required

Low

Privileges Required (PR:L): requires basic user-level access.

User Interaction

None

User Interaction (UI:N): no victim action needed. fully exploitable without user interaction.

impact

Scope

Unchanged

Scope (S:U): impact limited to the vulnerable component.

Confidentiality

High

Confidentiality (C:H): total information disclosure. attacker gains access to all data within the component.

Integrity

High

Integrity (I:H): complete data modification possible. attacker can modify any data.

Availability

High

Availability (A:H): total denial of service. attacker can fully shut down the resource.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

exploitation detection attribution advisories media timeline

activity density

rdintel assessment

flagged malicious repos detected. do not execute.

public exploit available. prioritize patching.

detection rules available.

composite score from 15+ signals including exploitation status, epss probability, detection coverage, and community attention. 0-100 scale.

exploitation

actively exploited

Vendor - Product Name

Apply vendor-provided patches

poc repositories (3)

researcher/exploit-poc - 42 stars - Python

security-lab/cve-checker - 18 stars - Go

detection

nuclei-template-id - critical - by projectdiscovery

sigma-rule-title - high - windows

timeline

2024-01-15 - published - CVE record created

2024-01-18 - poc - First exploit code published

2024-01-20 - kev - Added to known exploited

pocs, detection rules, timeline, advisories, and more