Vulnerability Details : CVE-2022-45143
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Exploit prediction scoring system (EPSS) score for CVE-2022-45143
Probability of exploitation activity in the next 30 days: 0.25%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 62 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2022-45143
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
[email protected] |
CWE ids for CVE-2022-45143
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by:
- [email protected] (Secondary)
- [email protected] (Primary)
-
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Assigned by:
- [email protected] (Secondary)
- [email protected] (Primary)
References for CVE-2022-45143
-
https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
Mailing List;Vendor Advisory
-
https://security.gentoo.org/glsa/202305-37
Third Party Advisory
Products affected by CVE-2022-45143
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*