.avif)
View all vulnerabilities
CVE-2022-45143
Apache Tomcat improperly escapes input from JsonErrorReportValve
Description
The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgradingVulnerability Details
Score
7.5
Score Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Versions
org.apache.tomcat.embed:tomcat-embed-core >= 8.5.83 < 8.5.84; org.apache.tomcat.embed:tomcat-embed-core >= 9.0.40 < 9.0.69; org.apache.tomcat.embed:tomcat-embed-core >= 10.1.0 < 10.1.2; org.apache.tomcat:tomcat-catalina >= 10.1.0 < 10.1.2; org.apache.tomcat:tomcat-util >= 8.5.83 < 8.5.84; org.apache.tomcat:tomcat-util >= 9.0.40 < 9.0.69
Severity
High
High
High
Ecosystem
Java
Publish Date
January 3, 2023
Modified Date
April 23, 2024