Vulnerability

CVE-2022-45143

 Report advisory or correction

CVSS Score 7.5 high

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE

CWE-116

References

https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
https://github.com/todobugs/tomcat/pull/2
https://github.com/todobugs/tomcat/pull/3
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45143

[CVE-2022-45143] CWE-116: Improper Encoding or Escaping of Output

Description

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See org.apache.tomcat.embed/tomcat-embed-core package information