Apache Tomcat JsonErrorReportValve JSON injection pre 8.5.83 & 9.0.40-9.0.68
CVE-2022-45143 Published on January 3, 2023
Apache Tomcat: JsonErrorReportValve escaping
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Weakness Type
What is an Output Sanitization Vulnerability?
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
CVE-2022-45143 has been classified to as an Output Sanitization vulnerability or weakness.
Products Associated with CVE-2022-45143
Want to know whenever a new CVE is published for Apache Tomcat? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Tomcat:- Version 10.1.0-M1, <= 10.1.1 is affected.
- Version 9.0.40, <= 9.0.68 is affected.
- Version 8.5.83 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.