CVE-2022-34305
Vulnerability Summary
Timeline
Description
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
CVSS Metrics
- v3.1•MEDIUM•Score: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 17.37%• Percentile: 95%
Techniques & Countermeasures
- CWE-79•Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Affected Systems
- apache software foundation•apache tomcat
Apache Tomcat 8.5 8.5.50 to 8.5.81 | Apache Tomcat 9 9.0.30 to 9.0.64 | Apache Tomcat 10.0 10.0.0-M1 to 10.0.22 | Apache Tomcat 10.1 10.1.0-M1 to 10.1.0-M16
- Unknown•Tomcat
≥ 8.5.50, ≤ 8.5.81 | ≥ 9.0.30, ≤ 9.0.64 | ≥ 10.0.0, ≤ 10.0.22 | 10.1.0:milestone1 | 10.1.0:milestone10 | 10.1.0:milestone11 | 10.1.0:milestone12 | 10.1.0:milestone13 | 10.1.0:milestone14 | 10.1.0:milestone15 | 10.1.0:milestone16 | 10.1.0:milestone2 | 10.1.0:milestone3 | 10.1.0:milestone4 | 10.1.0:milestone5 | 10.1.0:milestone6 | 10.1.0:milestone7 | 10.1.0:milestone8 | 10.1.0:milestone9
- org.apache.tomcat•tomcat
≥ 10.1.0-M1, < 10.1.0-M17 | ≥ 10.0.0-M1, < 10.0.22 | ≥ 9.0.30, < 9.0.65 | ≥ 8.5.50, < 8.5.82
References (6)
- https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k
- http://www.openwall.com/lists/oss-security/2022/06/23/1
- https://security.netapp.com/advisory/ntap-20220729-0006/
- https://security.gentoo.org/glsa/202208-34
- https://nvd.nist.gov/vuln/detail/CVE-2022-34305
- https://security.netapp.com/advisory/ntap-20220729-0006