CVE-2022-45143: Apache Tomcat: JsonErrorReportValve escaping
First published: Tue Jan 03 2023(Updated: )
The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | >=9.0.40<9.0.69 | |
| Apache Tomcat | =8.5.83 | |
| Apache Tomcat | =10.1.0-milestone1 | |
| Apache Tomcat | =10.1.0-milestone10 | |
| Apache Tomcat | =10.1.0-milestone11 | |
| Apache Tomcat | =10.1.0-milestone12 | |
| Apache Tomcat | =10.1.0-milestone13 | |
| Apache Tomcat | =10.1.0-milestone14 | |
| Apache Tomcat | =10.1.0-milestone15 | |
| Apache Tomcat | =10.1.0-milestone16 | |
| Apache Tomcat | =10.1.0-milestone17 | |
| Apache Tomcat | =10.1.0-milestone2 | |
| Apache Tomcat | =10.1.0-milestone3 | |
| Apache Tomcat | =10.1.0-milestone4 | |
| Apache Tomcat | =10.1.0-milestone5 | |
| Apache Tomcat | =10.1.0-milestone6 | |
| Apache Tomcat | =10.1.0-milestone7 | |
| Apache Tomcat | =10.1.0-milestone8 | |
| Apache Tomcat | =10.1.0-milestone9 | |
| Apache Tomcat | =10.1.1 | |
| maven/org.apache.tomcat:tomcat-util | >=9.0.40<9.0.69 | 9.0.69 |
| maven/org.apache.tomcat:tomcat-util | =8.5.83 | 8.5.84 |
| maven/org.apache.tomcat:tomcat-catalina | >=10.1.0<=10.1.1 | 10.1.2 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=10.1.0<=10.1.1 | 10.1.2 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.40<=9.0.68 | 9.0.69 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | =8.5.83 | 8.5.84 |
| redhat/tomcat | <10.1.2 | 10.1.2 |
| redhat/tomcat | <9.0.69 | 9.0.69 |
| redhat/tomcat | <8.5.84 | 8.5.84 |
| >=9.0.40<9.0.69 | ||
| =8.5.83 | ||
| =10.1.0-milestone1 | ||
| =10.1.0-milestone10 | ||
| =10.1.0-milestone11 | ||
| =10.1.0-milestone12 | ||
| =10.1.0-milestone13 | ||
| =10.1.0-milestone14 | ||
| =10.1.0-milestone15 | ||
| =10.1.0-milestone16 | ||
| =10.1.0-milestone17 | ||
| =10.1.0-milestone2 | ||
| =10.1.0-milestone3 | ||
| =10.1.0-milestone4 | ||
| =10.1.0-milestone5 | ||
| =10.1.0-milestone6 | ||
| =10.1.0-milestone7 | ||
| =10.1.0-milestone8 | ||
| =10.1.0-milestone9 | ||
| =10.1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
- https://security.gentoo.org/glsa/202305-37
- https://nvd.nist.gov/vuln/detail/CVE-2022-45143
- https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
- https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa
- https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e
- https://github.com/advisories/GHSA-rq2w-37h9-vg94 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2158760
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2158759
- https://access.redhat.com/errata/RHSA-2023:1663
- https://access.redhat.com/errata/RHSA-2023:1664
- https://access.redhat.com/security/cve/cve-2022-45143
- https://access.redhat.com/errata/RHSA-2023:3954
- https://access.redhat.com/errata/RHSA-2023:4612
- https://issues.redhat.com/browse/RHEL-38548
- https://access.redhat.com/security/cve/CVE-2024-24549
- https://access.redhat.com/security/cve/CVE-2024-23672
- https://access.redhat.com/security/cve/CVE-2022-45143
- https://access.redhat.com/errata/RHSA-2024:3307
- https://bugzilla.redhat.com/show_bug.cgi?id=2158695
- https://security.netapp.com/advisory/ntap-20230216-0009/
Frequently Asked Questions
What is CVE-2022-45143?
CVE-2022-45143 is a vulnerability in Apache Tomcat versions 8.5.83, 9.0.40 to 9.0.68, and 10.1.0-M1 to 10.1.1 that allows users to supply values that invalidate or execute arbitrary code.
How severe is CVE-2022-45143?
CVE-2022-45143 has a severity rating of 7.5 (High).
What is the affected software by CVE-2022-45143?
The affected software by CVE-2022-45143 includes Apache Tomcat versions 8.5.83, 9.0.40 to 9.0.68, and 10.1.0-M1 to 10.1.1.
How can I fix CVE-2022-45143?
To fix CVE-2022-45143, you should upgrade to Apache Tomcat version 10.1.2, 9.0.69, or 8.5.84.
Where can I find more information about CVE-2022-45143?
You can find more information about CVE-2022-45143 on the NVD website, Apache Tomcat mailing list, and the Apache Tomcat GitHub commit.
- collector/nvd-index
- agent/type
- agent/weakness
- agent/severity
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rq2w-37h9-vg94
- alias/CVE-2022-45143
- agent/software-canonical-lookup
- agent/description
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- agent/title
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- agent/last-modified-date
- agent/references
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- agent/trending
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/9.0.40
- version/apache tomcat/8.5.83
- version/apache tomcat/10.1.0-milestone1
- version/apache tomcat/10.1.0-milestone10
- version/apache tomcat/10.1.0-milestone11
- version/apache tomcat/10.1.0-milestone12
- version/apache tomcat/10.1.0-milestone13
- version/apache tomcat/10.1.0-milestone14
- version/apache tomcat/10.1.0-milestone15
- version/apache tomcat/10.1.0-milestone16
- version/apache tomcat/10.1.0-milestone17
- version/apache tomcat/10.1.0-milestone2
- version/apache tomcat/10.1.0-milestone3
- version/apache tomcat/10.1.0-milestone4
- version/apache tomcat/10.1.0-milestone5
- version/apache tomcat/10.1.0-milestone6
- version/apache tomcat/10.1.0-milestone7
- version/apache tomcat/10.1.0-milestone8
- version/apache tomcat/10.1.0-milestone9
- version/apache tomcat/10.1.1
- package-manager/maven
- package-manager/redhat