CVE-2022-45143

Severity

6.5

Description

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45143

https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj

https://tomcat.apache.org/security-10.html

https://tomcat.apache.org/security-8.html

https://tomcat.apache.org/security-9.html

https://github.com/todobugs/tomcat/pull/2

https://github.com/todobugs/tomcat/pull/3

Project

Apache Tomcat

Category

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Tags

data

operational

Date Disclosed

2023-01-03

Date Discovered

2022-11-10

Apache Tomcat 10.1.x

First release:

2022-09-23

CVEs:

12

Support Lifecycle:

Namespace:

javax

Apache Tomcat 10.0.x

First release:

2021-02-02

CVEs:

22

Support Lifecycle:

Namespace:

jakarta

10.0.0 10.0.2 10.0.4 10.0.5 10.0.6 10.0.7 10.0.8 10.0.10 10.0.11 10.0.12 10.0.13 10.0.14 10.0.16 10.0.17 10.0.18 10.0.20 10.0.21 10.0.22 10.0.23 10.0.26 10.0.27

Apache TomEE 9.1.x

First release:

2023-06-06

CVEs:

10

Support Lifecycle:

Namespace:

javax

Apache TomEE 9.0.x

First release:

2023-01-03

CVEs:

15

Support Lifecycle:

Namespace:

javax

Apache Tomcat 9.0.x

First release:

2018-01-18

CVEs:

49

Support Lifecycle:

Maintenance Support

Namespace:

javax

9.0.40 9.0.41 9.0.43 9.0.44 9.0.45 9.0.46 9.0.48 9.0.50 9.0.52 9.0.53 9.0.54 9.0.55 9.0.56 9.0.58 9.0.59 9.0.60 9.0.62 9.0.63 9.0.64 9.0.65 9.0.67 9.0.68

Apache Tomcat 8.5.x

First release:

2016-06-13

CVEs:

66

Support Lifecycle:

Maintenance Support

Namespace:

javax

Apache TomEE 8.0.x

First release:

2019-09-13

CVEs:

88

Support Lifecycle:

Namespace:

javax

8.0.6 8.0.7 8.0.8 8.0.9 8.0.10 8.0.11 8.0.12 8.0.13

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.