CVE-2022-45143

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in maven/org.apache.tomcat.embed/tomcat-embed-core

Identifiers

CVE-2022-45143, GHSA-rq2w-37h9-vg94

Package Slug

maven/org.apache.tomcat.embed/tomcat-embed-core

Vulnerability

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Affected Versions

Version 8.5.83, all versions starting from 9.0.40 before 9.0.69, all versions starting from 10.1.0 up to 10.1.1

Solution

Upgrade to version 9.0.69 or above.

Last Modified

2023-01-19

source