CVE-2022-45143

Summary

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat10.1.0-M1 <= 10.1.1affected
Apache Software FoundationApache Tomcat9.0.40 <= 9.0.68affected
Apache Software FoundationApache Tomcat8.5.83affected

Weaknesses

  • CWE-116: CWE-116 Improper Encoding or Escaping of Output

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References