GHSA-rq2w-37h9-vg94

Source

https://github.com/advisories/GHSA-rq2w-37h9-vg94

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rq2w-37h9-vg94

Aliases

Published

2023-01-03T21:30:21Z

Modified

2024-04-23T22:00:59.346897Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Apache Tomcat improperly escapes input from JsonErrorReportValve

Details

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

References

Affected packages

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.83

Fixed

8.5.84

Affected versions

8.*

8.5.83

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.40

Fixed

9.0.69

Affected versions

9.*

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

Database specific

{
    "last_known_affected_version_range": "<= 9.0.68"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0

Fixed

10.1.2

Affected versions

10.*

10.1.0

10.1.1

Database specific

{
    "last_known_affected_version_range": "<= 10.1.1"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0

Fixed

10.1.2

Affected versions

10.*

10.1.0

10.1.1

Database specific

{
    "last_known_affected_version_range": "<= 10.1.1"
}

Maven / org.apache.tomcat:tomcat-util

Package

Name: org.apache.tomcat:tomcat-util; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-util

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.83

Fixed

8.5.84

Affected versions

8.*

8.5.83

Maven / org.apache.tomcat:tomcat-util

Package

Name: org.apache.tomcat:tomcat-util; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-util

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.40

Fixed

9.0.69

Affected versions

9.*

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68