CVE-2022-45143 — Improper Encoding or Escaping of Output in Apache Tomcat

CWE-116 — Improper Encoding or Escaping of Output CWE-74 — Injection11 documents9 sources

Severity

7.5HIGHNVD

EPSS

0.8%

top 25.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Apache Software Foundation Apache Tomcat

Timeline

PublishedJan 3

Latest updateNov 21

Description

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/tomcat9.0.40 — 9.0.69+3

▶CVEListV5apache_software_foundation/apache_tomcat10.1.0-M1 — 10.1.1+2

🔴Vulnerability Details

OSV

Apache Tomcat improperly escapes input from JsonErrorReportValve↗2023-01-03

▶

GHSA

Apache Tomcat improperly escapes input from JsonErrorReportValve↗2023-01-03

▶

CVEList

Apache Tomcat: JsonErrorReportValve escaping↗2023-01-03

▶

OSV

CVE-2022-45143: The JsonErrorReportValve in Apache Tomcat 8↗2023-01-03

▶

📋Vendor Advisories

Atlassian

CVE-2022-45143: org.apache.tomcat:tomcat-catalina Vulnerability in Confluence Data Center and Server↗2023-11-21

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Endeca Application Controller (Apache Tomcat) — CVE-2022-45143↗2023-07-15

▶

Oracle

Oracle Oracle Commerce Risk Matrix: Content Acquisition System, Workbench (Apache Tomcat) — CVE-2022-45143↗2023-04-15

▶

Red Hat

tomcat: JsonErrorReportValve injection↗2023-01-03

▶

Debian

CVE-2022-45143: tomcat9 - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1...↗2022

▶