CVE-2022-45143

moderate-risk

Published 2023-01-03

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Do I need to act?

0.82% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Tomcat

Affected Vendors

Apache

References (5)

Mailing List https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj

Third Party Advisory https://security.gentoo.org/glsa/202305-37

Mailing List https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj

Third Party Advisory https://security.gentoo.org/glsa/202305-37

https://security.netapp.com/advisory/ntap-20230216-0009/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 3/34 · Minimal

Exposure 20/34 · Moderate