Org.lucee.esapi and CVE-2022-23457


We have a large application deployed as a WAR (bundling Lucee and necessary Extensions) onto Tomcat at various on-prem clients (global investment banks). One of these clients is subjecting the WAR to deep scanning as part of their release pipeline and blocking a production release due to a number of Critical and High findings in Lucee or Extensions (i.e. under WEB-INF). We’ve been able to address most of these but are left with one significant challenge with the ESAPI Extension (latest; unavoidable in the application as it stands. We’re deploying with Lucee 5.n still but evaluation of Lucee 6.n has provided no solution.

org.lucee.esapi- and CVE-2022-23457 is being flagged as Critical and blocker.

Evidence suggests that org.lucee.esapi- contains org.owasp.esapi and which has two CVEs against it including CVE-2022-23457. There is no later version of the ESAPI Extension (nor any evidence of a fix for this in GitHub). Has anyone come up against this challenge before or established documentation to evidence as a false-positive?, also bundled in the ESAPI Extension and with CVEs against it, is also raising findings although not currently a blocker; still a significant concern however.

From I believe there are updates to ESAPI Extension planned but this has been bumped along for a couple of years and seems to have gone stale. Is the only solution to avoid the Extension and refactor a significant amount of code?

Thanks for any advice,


Java Version: 11.n
Tomcat Version: 9.n
Lucee Version: /

1 Like

Being open source you can apply any of the following

  1. Report it and wait until its fixed
  2. Do it yourself
  3. Pay for someone else to do it.

Being that its a client, and the direct cost savings of running Lucee vs AFC are signifigant, maybe you should see if @cfmitrah will give you a quote on upgrading the software to what ever version you need for your client. You can upsell the charge and it will overall benifit the community should you choose to release the upgraded patch.

Just my thoughts.


Thanks for the thoughts, Terry, much appreciated. We’ve opted to flip from the ESAPI functions to the native methods in the interim which means we can skirt the CVEs but it’s certainly a good idea to get some momentum behind updates to the ESAPI extension as there are some benefits to that implementation.

1 Like