CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.1.0-M1 to 10.1.1
Apache Tomcat 9.0.40 to 9.0.68
Apache Tomcat 8.5.83
Description:
The JsonErrorReportValve did not escape the type, message or description
values. In some circumstances these are constructed from user provided
data and it was therefore possible for users to supply values that
invalidated or manipulated the JSON output.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.1.2 or later
- Upgrade to Apache Tomcat 9.0.69 or later
- Upgrade to Apache Tomcat 8.5.84 or later
Credit:
This issue was identified by the Apache Tomcat security team.
History:
2023-01-03 Original advisory
References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
