CVE-2022-45143
Public on 2023-01-03
Modified on 2024-04-29
Description
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Core | tomcat | Not Affected | ||
| HAQM Linux 2 - Tomcat8.5 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT8.5-2023-013 | Fixed |
| HAQM Linux 2 - Tomcat9 Extra | tomcat | 2023-08-21 | ALAS2TOMCAT9-2023-008 | Fixed |
| HAQM Linux 2023 | tomcat9 | 2023-04-27 | ALAS2023-2023-176 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |