7.5

CVE-2022-45143

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Data is provided by the National Vulnerability Database (NVD)
ApacheTomcat Version >= 9.0.40 < 9.0.69
ApacheTomcat Version8.5.83
ApacheTomcat Version10.1.0 Updatemilestone1
ApacheTomcat Version10.1.0 Updatemilestone10
ApacheTomcat Version10.1.0 Updatemilestone11
ApacheTomcat Version10.1.0 Updatemilestone12
ApacheTomcat Version10.1.0 Updatemilestone13
ApacheTomcat Version10.1.0 Updatemilestone14
ApacheTomcat Version10.1.0 Updatemilestone15
ApacheTomcat Version10.1.0 Updatemilestone16
ApacheTomcat Version10.1.0 Updatemilestone17
ApacheTomcat Version10.1.0 Updatemilestone2
ApacheTomcat Version10.1.0 Updatemilestone3
ApacheTomcat Version10.1.0 Updatemilestone4
ApacheTomcat Version10.1.0 Updatemilestone5
ApacheTomcat Version10.1.0 Updatemilestone6
ApacheTomcat Version10.1.0 Updatemilestone7
ApacheTomcat Version10.1.0 Updatemilestone8
ApacheTomcat Version10.1.0 Updatemilestone9
ApacheTomcat Version10.1.1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.95% 0.755
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.