First published: Thu Jun 23 2022(Updated: )
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
Apache Tomcat | >=8.5.50<=8.5.81 | |
Apache Tomcat | >=9.0.30<=9.0.64 | |
Apache Tomcat | >=10.0.0<=10.0.22 | |
Apache Tomcat | =10.1.0-milestone1 | |
Apache Tomcat | =10.1.0-milestone10 | |
Apache Tomcat | =10.1.0-milestone11 | |
Apache Tomcat | =10.1.0-milestone12 | |
Apache Tomcat | =10.1.0-milestone13 | |
Apache Tomcat | =10.1.0-milestone14 | |
Apache Tomcat | =10.1.0-milestone15 | |
Apache Tomcat | =10.1.0-milestone16 | |
Apache Tomcat | =10.1.0-milestone2 | |
Apache Tomcat | =10.1.0-milestone3 | |
Apache Tomcat | =10.1.0-milestone4 | |
Apache Tomcat | =10.1.0-milestone5 | |
Apache Tomcat | =10.1.0-milestone6 | |
Apache Tomcat | =10.1.0-milestone7 | |
Apache Tomcat | =10.1.0-milestone8 | |
Apache Tomcat | =10.1.0-milestone9 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2022-34305.
CVE-2022-34305 has a severity level of 6.1 (Medium).
CVE-2022-34305 affects Apache Tomcat versions 8.5.50 to 8.5.81, 9.0.30 to 9.0.64, and 10.0.0-M1 to 10.0.22.
The vulnerability in Apache Tomcat is a Cross-Site Scripting (XSS) vulnerability caused by user-provided data not being properly filtered in the Form authentication example in the examples web application.
Yes, you can find references for CVE-2022-34305 at the following links: [Reference 1](http://www.openwall.com/lists/oss-security/2022/06/23/1), [Reference 2](https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k), [Reference 3](https://security.gentoo.org/glsa/202208-34)