CVE-2022-45143: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

January 3, 2023 (updated June 27, 2023)

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

References

lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
nvd.nist.gov/vuln/detail/CVE-2022-45143

Detect and mitigate CVE-2022-45143 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →