CVE-2022-34305

high-risk
Published 2022-06-23

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

Do I need to act?

!
16.9% chance of exploitation in next 30 days
EPSS score — higher than 83% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (17)

Affected Vendors

Apache

References (8)

Mailing List http://www.openwall.com/lists/oss-security/2022/06/23/1
Mailing List https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k
Third Party Advisory https://security.gentoo.org/glsa/202208-34
Third Party Advisory https://security.netapp.com/advisory/ntap-20220729-0006/
Mailing List http://www.openwall.com/lists/oss-security/2022/06/23/1
Mailing List https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k
Third Party Advisory https://security.gentoo.org/glsa/202208-34
Third Party Advisory https://security.netapp.com/advisory/ntap-20220729-0006/
55
/ 100
high-risk
Severity 23/34 · High
Exploitability 13/34 · Low
Exposure 19/34 · Moderate