CVE-2022-45143

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Published: Jan 3, 2023
Updated: May 9, 2024
CVE: CVE-2022-45143
GHSA: GHSA-rq2w-37h9-vg94
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
apache / tomcat	10.1.0-milestone3	10.1.0-milestone3.x
apache / tomcat	10.1.0-milestone4	10.1.0-milestone4.x
apache / tomcat	10.1.0-milestone5	10.1.0-milestone5.x
apache / tomcat	10.1.0-milestone1	10.1.0-milestone1.x
apache / tomcat	10.1.0-milestone2	10.1.0-milestone2.x
apache / tomcat	10.1.0-milestone7	10.1.0-milestone7.x
apache / tomcat	10.1.0-milestone8	10.1.0-milestone8.x
apache / tomcat	10.1.0-milestone9	10.1.0-milestone9.x
apache / tomcat	10.1.0-milestone6	10.1.0-milestone6.x
apache / tomcat	10.1.0-milestone10	10.1.0-milestone10.x
apache / tomcat	10.1.0-milestone11	10.1.0-milestone11.x
apache / tomcat	10.1.0-milestone12	10.1.0-milestone12.x
apache / tomcat	10.1.0-milestone13	10.1.0-milestone13.x
apache / tomcat	10.1.0-milestone14	10.1.0-milestone14.x
apache / tomcat	10.1.0-milestone16	10.1.0-milestone16.x
apache / tomcat	10.1.0-milestone15	10.1.0-milestone15.x
apache / tomcat	10.1.0-milestone17	10.1.0-milestone17.x
apache / tomcat	10.1.1	10.1.1.x
apache / tomcat	9.0.40	9.0.69
apache / tomcat	8.5.83	8.5.83.x
org.apache.tomcat / tomcat	8.5.83	8.5.83.x
org.apache.tomcat / tomcat	8.5.83	8.5.84
org.apache.tomcat / tomcat	9.0.40	9.0.69
org.apache.tomcat / tomcat	10.1.0	10.1.2

Vulnerability Database

289,598

CVE-2022-45143