Apache Tomcat improperly escapes input from JsonErrorReportValve

2023-01-0321:30:21

CWE-74

CWE-116

GitHub Advisory Database

github.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.005 Low

EPSS

Percentile

75.6%

JSON

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CPENameOperatorVersion
org.apache.tomcat:tomcat-utillt9.0.69
org.apache.tomcat:tomcat-utileq8.5.83
org.apache.tomcat:tomcat-catalinale10.1.1
org.apache.tomcat.embed:tomcat-embed-corele10.1.1
org.apache.tomcat.embed:tomcat-embed-corele9.0.68
org.apache.tomcat.embed:tomcat-embed-coreeq8.5.83

Name	Operator	Version
org.apache.tomcat:tomcat-util	lt	9.0.69
org.apache.tomcat:tomcat-util	eq	8.5.83
org.apache.tomcat:tomcat-catalina	le	10.1.1
org.apache.tomcat.embed:tomcat-embed-core	le	10.1.1
org.apache.tomcat.embed:tomcat-embed-core	le	9.0.68
org.apache.tomcat.embed:tomcat-embed-core	eq	8.5.83