exploitDog

GHSA-rq2w-37h9-vg94

Опубликовано: 03 янв. 2023

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Apache Tomcat improperly escapes input from JsonErrorReportValve

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Ссылки

Пакеты

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

= 8.5.83

8.5.84

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 9.0.40, <= 9.0.68

9.0.69

Наименование

org.apache.tomcat.embed:tomcat-embed-core

maven

Затронутые версииВерсия исправления

>= 10.1.0, <= 10.1.1

10.1.2

Наименование

org.apache.tomcat:tomcat-catalina

maven

Затронутые версииВерсия исправления

>= 10.1.0, <= 10.1.1

10.1.2

Наименование

org.apache.tomcat:tomcat-util

maven

Затронутые версииВерсия исправления

= 8.5.83

8.5.84

Наименование

org.apache.tomcat:tomcat-util

maven

Затронутые версииВерсия исправления

>= 9.0.40, < 9.0.69

9.0.69

EPSS

Процентиль: 75%

0.00933

Низкий

7.5 High

CVSS3

CVE ID

Дефекты

CWE-116

CWE-74

Связанные уязвимости

CVE-2022-45143

CVSS3: 7.5

ubuntu

больше 2 лет назад

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CVE-2022-45143

CVSS3: 7.5

redhat

больше 2 лет назад

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CVE-2022-45143

CVSS3: 7.5

nvd

больше 2 лет назад

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CVE-2022-45143

CVSS3: 7.5

debian

больше 2 лет назад

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and ...

SUSE-SU-2023:1853-1

suse-cvrf

около 2 лет назад

Security update for tomcat

EPSS

Процентиль: 75%

0.00933

Низкий

7.5 High

CVSS3

CVE ID

Дефекты

CWE-116

CWE-74