{ "schema_version": "1.4.0", "id": "GHSA-rq2w-37h9-vg94", "modified": "2024-04-23T21:44:48Z", "published": "2023-01-03T21:30:21Z", "aliases": [ "CVE-2022-45143" ], "summary": "Apache Tomcat improperly escapes input from JsonErrorReportValve", "details": "The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.83" }, { "fixed": "8.5.84" } ] } ], "versions": [ "8.5.83" ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.40" }, { "fixed": "9.0.69" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 9.0.68" } }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.2" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 10.1.1" } }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat:tomcat-catalina" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "10.1.0" }, { "fixed": "10.1.2" } ] } ], "database_specific": { "last_known_affected_version_range": "<= 10.1.1" } }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat:tomcat-util" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.5.83" }, { "fixed": "8.5.84" } ] } ], "versions": [ "8.5.83" ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat:tomcat-util" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.40" }, { "fixed": "9.0.69" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202305-37" } ], "database_specific": { "cwe_ids": [ "CWE-116", "CWE-74" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-01-05T12:02:50Z", "nvd_published_at": "2023-01-03T19:15:00Z" } }