GHSA-rq2w-37h9-vg94

Source

https://github.com/advisories/GHSA-rq2w-37h9-vg94

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-rq2w-37h9-vg94/GHSA-rq2w-37h9-vg94.json

Aliases

Published

2023-01-03T21:30:21Z

Modified

2024-04-23T22:00:59.346897Z

Details

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

References

Affected packages

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.83

Fixed

8.5.84

Affected versions

8.*

8.5.83

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.40

Fixed

9.0.69

Affected versions

9.*

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68

Database specific

{
    "last_known_affected_version_range": "<= 9.0.68"
}

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0

Fixed

10.1.2

Affected versions

10.*

10.1.0

10.1.1

Database specific

{
    "last_known_affected_version_range": "<= 10.1.1"
}

Maven / org.apache.tomcat:tomcat-catalina

Package

Name: org.apache.tomcat:tomcat-catalina

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.0

Fixed

10.1.2

Affected versions

10.*

10.1.0

10.1.1

Database specific

{
    "last_known_affected_version_range": "<= 10.1.1"
}

Maven / org.apache.tomcat:tomcat-util

Package

Name: org.apache.tomcat:tomcat-util

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.83

Fixed

8.5.84

Affected versions

8.*

8.5.83

Maven / org.apache.tomcat:tomcat-util

Package

Name: org.apache.tomcat:tomcat-util

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.40

Fixed

9.0.69

Affected versions

9.*

9.0.40

9.0.41

9.0.43

9.0.44

9.0.45

9.0.46

9.0.48

9.0.50

9.0.52

9.0.53

9.0.54

9.0.55

9.0.56

9.0.58

9.0.59

9.0.60

9.0.62

9.0.63

9.0.64

9.0.65

9.0.67

9.0.68