The Open Web Application Security Project (OWASP) has fixed a critical vulnerability in its Enterprise Security API (ESAPI) whose exploitation could have allowed threat actors to run path traversal attacks. The flaw, which involved the ESAPI validator interface, was addressed with the release of version 18.104.22.168.
OWASP ESAPI offers a security controls library that can help software developers to write more secure code. This was designed to be embedded in web applications as a proactive security measures group. Although it could be hard to exploit the exposed component, OWASP encourages users of affected versions to install the most recent version as soon as possible.
The developer also mentioned that even when Validator.getValidDirectoryPath() is used within an application, that doesn’t mean it’s exploitable within your own application, so a successful attack is different.
The vulnerable ESAPI would be used in conjunction with a web application firewall (WAF) or intrusion detection software, further limiting the scope of the attack which has a higher exploitation chance. The vulnerability received a score of 7.5/10 as per the CVSS.
Although everything indicates that it is unlikely that this flaw will be exploited in the wild, and it is even less likely that it can cause severe damage, Wall believes that developers have a lot to learn from this kind of report. To get started, application developers using these libraries should use software analysis tools and know their respective advantages and disadvantages.
In addition, when experts decide not to address these failures, it is best to implement an in-depth analysis and see exactly how a similar failure could affect the operation of your applications to know the best method to follow to mitigate the risk.