CVE-2022-45143

Aliases:GHSA-rq2w-37h9-vg94BIT-tomcat-2022-45143
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 03 Jan 2023, 18:12
Last modified:03 Aug 2024, 14:09

Vulnerability Summary

Overall Risk (default)
medium
30/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.89% LOW
1% probability -0.21%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

03 Jan 2023, 18:12
Published
Vulnerability first disclosed
03 Aug 2024, 14:09
Last Modified
Vulnerability information updated

Description

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CVSS Metrics

  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 0.89% Percentile: 76%

Techniques & Countermeasures

  • CWE-116Improper Encoding or Escaping of Output

    The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Affected Systems

  • apache software foundationapache tomcat

    ≥ 10.1.0-M1, ≤ 10.1.1 | ≥ 9.0.40, ≤ 9.0.68 | 8.5.83

  • UnknownTomcat

    ≥ 9.0.40, < 9.0.69 | 8.5.83 | 10.1.0:milestone1 | 10.1.0:milestone10 | 10.1.0:milestone11 | 10.1.0:milestone12 | 10.1.0:milestone13 | 10.1.0:milestone14 | 10.1.0:milestone15 | 10.1.0:milestone16 | 10.1.0:milestone17 | 10.1.0:milestone2 | 10.1.0:milestone3 | 10.1.0:milestone4 | 10.1.0:milestone5 | 10.1.0:milestone6 | 10.1.0:milestone7 | 10.1.0:milestone8 | 10.1.0:milestone9 | 10.1.1

  • org.apache.tomcattomcat-catalina

    ≥ 10.1.0, < 10.1.2

  • org.apache.tomcattomcat-util

    ≥ 8.5.83, < 8.5.84 | ≥ 9.0.40, < 9.0.69

  • org.apache.tomcat.embedtomcat-embed-core

    ≥ 8.5.83, < 8.5.84 | ≥ 9.0.40, < 9.0.69 | ≥ 10.1.0, < 10.1.2

References (8)