CVE-2022-45143

Source
https://cve.org/CVERecord?id=CVE-2022-45143
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-45143.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-45143
Aliases
Downstream
Related
Published
2023-01-03T18:12:28.351Z
Modified
2026-07-11T03:53:17.197254292Z
Summary
Apache Tomcat: JsonErrorReportValve escaping
Details

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Database specific
{
    "cwe_ids": [
        "CWE-116"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/45xxx/CVE-2022-45143.json",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "10.1.0-M1"
                },
                {
                    "last_affected": "10.1.1"
                },
                {
                    "introduced": "9.0.40"
                },
                {
                    "last_affected": "9.0.68"
                },
                {
                    "introduced": "8.5.83"
                },
                {
                    "last_affected": "8.5.83"
                }
            ]
        }
    ],
    "cna_assigner": "apache"
}
References

Affected packages

Git / github.com/apache/tomcat

Affected ranges

Type
GIT
Repo
https://github.com/apache/tomcat
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
        "cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_RANGE",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "9.0.40"
        },
        {
            "fixed": "9.0.69"
        },
        {
            "introduced": "8.5.83"
        },
        {
            "last_affected": "8.5.83"
        },
        {
            "introduced": "10.1.0-milestone1"
        },
        {
            "last_affected": "10.1.0-milestone1"
        },
        {
            "introduced": "10.1.0-milestone10"
        },
        {
            "last_affected": "10.1.0-milestone10"
        },
        {
            "introduced": "10.1.0-milestone11"
        },
        {
            "last_affected": "10.1.0-milestone11"
        },
        {
            "introduced": "10.1.0-milestone12"
        },
        {
            "last_affected": "10.1.0-milestone12"
        },
        {
            "introduced": "10.1.0-milestone13"
        },
        {
            "last_affected": "10.1.0-milestone13"
        },
        {
            "introduced": "10.1.0-milestone14"
        },
        {
            "last_affected": "10.1.0-milestone14"
        },
        {
            "introduced": "10.1.0-milestone15"
        },
        {
            "last_affected": "10.1.0-milestone15"
        },
        {
            "introduced": "10.1.0-milestone16"
        },
        {
            "last_affected": "10.1.0-milestone16"
        },
        {
            "introduced": "10.1.0-milestone17"
        },
        {
            "last_affected": "10.1.0-milestone17"
        },
        {
            "introduced": "10.1.0-milestone2"
        },
        {
            "last_affected": "10.1.0-milestone2"
        },
        {
            "introduced": "10.1.0-milestone3"
        },
        {
            "last_affected": "10.1.0-milestone3"
        },
        {
            "introduced": "10.1.0-milestone4"
        },
        {
            "last_affected": "10.1.0-milestone4"
        },
        {
            "introduced": "10.1.0-milestone5"
        },
        {
            "last_affected": "10.1.0-milestone5"
        },
        {
            "introduced": "10.1.0-milestone6"
        },
        {
            "last_affected": "10.1.0-milestone6"
        },
        {
            "introduced": "10.1.0-milestone7"
        },
        {
            "last_affected": "10.1.0-milestone7"
        },
        {
            "introduced": "10.1.0-milestone8"
        },
        {
            "last_affected": "10.1.0-milestone8"
        },
        {
            "introduced": "10.1.0-milestone9"
        },
        {
            "last_affected": "10.1.0-milestone9"
        },
        {
            "introduced": "10.1.1"
        },
        {
            "last_affected": "10.1.1"
        }
    ]
}

Affected versions

10.*
10.1.0-milestone1
10.1.0-milestone10
10.1.0-milestone11
10.1.0-milestone12
10.1.0-milestone13
10.1.0-milestone14
10.1.0-milestone15
10.1.0-milestone16
10.1.0-milestone17
10.1.0-milestone2
10.1.0-milestone3
10.1.0-milestone4
10.1.0-milestone5
10.1.0-milestone6
10.1.0-milestone7
10.1.0-milestone8
10.1.0-milestone9
10.1.1
8.*
8.5.83

Database specific

source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-45143.json"