Vulnerability Details : CVE-2022-45143
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Products affected by CVE-2022-45143
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*
Threat overview for CVE-2022-45143
Top countries where our scanners detected CVE-2022-45143
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-45143 139,436
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-45143!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-45143
0.83%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-45143
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-45143
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
-
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.Assigned by:
- nvd@nist.gov (Secondary)
- security@apache.org (Primary)
References for CVE-2022-45143
-
https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
[SECURITY] CVE-2022-45143 Apache Tomcat - JsonErrorReportValve injection-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://security.gentoo.org/glsa/202305-37
Apache Tomcat: Multiple Vulnerabilities (GLSA 202305-37) — Gentoo securityThird Party Advisory
Jump to