CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
71.6%
The JsonErrorReportValve
in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type
, message
or description
values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Vendor | Product | Version | CPE |
---|---|---|---|
org.apache.tomcat | tomcat-util | * | cpe:2.3:a:org.apache.tomcat:tomcat-util:*:*:*:*:*:*:*:* |
org.apache.tomcat | tomcat-util | 8.5.83 | cpe:2.3:a:org.apache.tomcat:tomcat-util:8.5.83:*:*:*:*:*:*:* |
org.apache.tomcat | tomcat-catalina | * | cpe:2.3:a:org.apache.tomcat:tomcat-catalina:*:*:*:*:*:*:*:* |
org.apache.tomcat.embed | tomcat-embed-core | * | cpe:2.3:a:org.apache.tomcat.embed:tomcat-embed-core:*:*:*:*:*:*:*:* |
org.apache.tomcat.embed | tomcat-embed-core | 8.5.83 | cpe:2.3:a:org.apache.tomcat.embed:tomcat-embed-core:8.5.83:*:*:*:*:*:*:* |
github.com/advisories/GHSA-rq2w-37h9-vg94
github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa
github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e
lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
nvd.nist.gov/vuln/detail/CVE-2022-45143
security.gentoo.org/glsa/202305-37