CVE-2022-45143

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-45143

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-45143.json

Aliases

BIT-tomcat-2022-45143
GHSA-rq2w-37h9-vg94

Related

DSA-5381-1

Published

2023-01-03T19:15:10Z

Modified

2024-05-13T21:23:24Z

Summary

[none]

Details

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

References

https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
https://security.gentoo.org/glsa/202305-37

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type: GIT
Repo: https://github.com/apache/tomcat
Events: Introduced

11cce490eb67a8aca64377a22c0cea2e38896725

Fixed

cd5fd93c5df3699868ec39731f5a347450112299