Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-45143 (GCVE-0-2022-45143)
Vulnerability from cvelistv5 – Published: 2023-01-03 18:12 – Updated: 2024-08-03 14:09
VLAI?
EPSS
Title
Apache Tomcat: JsonErrorReportValve escaping
Summary
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Severity ?
No CVSS data available.
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tomcat |
Affected:
10.1.0-M1 , ≤ 10.1.1
(semver)
Affected: 9.0.40 , ≤ 9.0.68 (semver) Affected: 8.5.83 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:09:56.475Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://security.netapp.com/advisory/ntap-20230216-0009/"
},
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202305-37"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-45143",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T14:55:21.394332Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T14:55:50.547Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache Tomcat",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "10.1.1",
"status": "affected",
"version": "10.1.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.68",
"status": "affected",
"version": "9.0.40",
"versionType": "semver"
},
{
"status": "affected",
"version": "8.5.83"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output."
}
],
"value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116 Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-27T12:57:14.452Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"url": "https://security.gentoo.org/glsa/202305-37"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Apache Tomcat: JsonErrorReportValve escaping",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2022-45143",
"datePublished": "2023-01-03T18:12:28.351Z",
"dateReserved": "2022-11-10T15:00:33.203Z",
"dateUpdated": "2024-08-03T14:09:56.475Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20230216-0009/\"}, {\"url\": \"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://security.gentoo.org/glsa/202305-37\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T14:09:56.475Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-45143\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-01T14:55:21.394332Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-01T14:55:46.720Z\"}}], \"cna\": {\"title\": \"Apache Tomcat: JsonErrorReportValve escaping\", \"source\": {\"discovery\": \"INTERNAL\"}, \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"low\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Tomcat\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.1.0-M1\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.1.1\"}, {\"status\": \"affected\", \"version\": \"9.0.40\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.0.68\"}, {\"status\": \"affected\", \"version\": \"8.5.83\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202305-37\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-116\", \"description\": \"CWE-116 Improper Encoding or Escaping of Output\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2023-06-27T12:57:14.452Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2022-45143\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-03T14:09:56.475Z\", \"dateReserved\": \"2022-11-10T15:00:33.203Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2023-01-03T18:12:28.351Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
FKIE_CVE-2022-45143
Vulnerability from fkie_nvd - Published: 2023-01-03 19:15 - Updated: 2024-11-21 07:28
Severity ?
Summary
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
References
| URL | Tags | ||
|---|---|---|---|
| security@apache.org | https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj | Mailing List, Vendor Advisory | |
| security@apache.org | https://security.gentoo.org/glsa/202305-37 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj | Mailing List, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202305-37 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20230216-0009/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | * | |
| apache | tomcat | 8.5.83 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.0 | |
| apache | tomcat | 10.1.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"matchCriteriaId": "24BAD725-BA56-4B40-9BFA-1B6B99348F7D",
"versionEndExcluding": "9.0.69",
"versionStartIncluding": "9.0.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA74802-4328-4AB7-AE53-7118C3EA5018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "6D402B5D-5901-43EB-8E6A-ECBD512CE367",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"matchCriteriaId": "33C71AE1-B38E-4783-BAC2-3CDA7B4D9EBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"matchCriteriaId": "F6BD4180-D3E8-42AB-96B1-3869ECF47F6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"matchCriteriaId": "64668CCF-DBC9-442D-9E0F-FD40E1D0DDB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"matchCriteriaId": "FC64BB57-4912-481E-AE8D-C8FCD36142BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"matchCriteriaId": "49B43BFD-6B6C-4E6D-A9D8-308709DDFB44",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"matchCriteriaId": "919C16BD-79A7-4597-8D23-2CBDED2EF615",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"matchCriteriaId": "81B27C03-D626-42EC-AE4E-1E66624908E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"matchCriteriaId": "BD81405D-81A5-4683-A355-B39C912DAD2D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9846609D-51FC-4CDD-97B3-8C6E07108F14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "2E321FB4-0B0C-497A-BB75-909D888C93CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"matchCriteriaId": "3B0CAE57-AF7A-40E6-9519-F5C9F422C1BE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"matchCriteriaId": "7CB9D150-EED6-4AE9-BCBE-48932E50035E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"matchCriteriaId": "D334103F-F64E-4869-BCC8-670A5AFCC76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"matchCriteriaId": "941FCF7B-FFB6-4967-95C7-BB3D32C73DAF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"matchCriteriaId": "CE1A9030-B397-4BA6-8E13-DA1503872DDB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"matchCriteriaId": "6284B74A-1051-40A7-9D74-380FEEEC3F88",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A8FEA1A6-0E39-4099-ABC4-73B921FE5C4F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output."
},
{
"lang": "es",
"value": "JsonErrorReportValve en Apache Tomcat 8.5.83, 9.0.40 a 9.0.68 y 10.1.0-M1 a 10.1.1 no escap\u00f3 de los valores de tipo, mensaje o descripci\u00f3n. En algunas circunstancias, estos se construyen a partir de datos proporcionados por el usuario y, por lo tanto, era posible que los usuarios proporcionaran valores que invalidaban o manipulaban la salida JSON."
}
],
"id": "CVE-2022-45143",
"lastModified": "2024-11-21T07:28:50.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-03T19:15:10.403",
"references": [
{
"source": "security@apache.org",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"source": "security@apache.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202305-37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202305-37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20230216-0009/"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "security@apache.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
CERTFR-2023-AVI-0325
Vulnerability from certfr_avis - Published: 2023-04-19 - Updated: 2023-04-20
De multiples vulnérabilités ont été découvertes dans les produits Oracle. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Oracle | Java SE | Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20 | ||
| Oracle | Database Server | Oracle Database Server 19c, 21c | ||
| Oracle | N/A | Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1 | ||
| Oracle | PeopleSoft | Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2 | ||
| Oracle | Virtualization | Oracle Virtualization versions 6.1.x antérieures à 6.1.44 | ||
| Oracle | MySQL | Oracle MySQL versions 8.0.33 et antérieures | ||
| Oracle | Systems | Oracle Systems versions 10, 11 | ||
| Oracle | Virtualization | Oracle Virtualization versions 7.0.x antérieures à 7.0.8 | ||
| Oracle | MySQL | Oracle MySQL versions 5.7.41 et antérieures | ||
| Oracle | Weblogic | Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20",
"product": {
"name": "Java SE",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Database Server 19c, 21c",
"product": {
"name": "Database Server",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle GraalVM Enterprise Edition: 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1",
"product": {
"name": "N/A",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle PeopleSoft versions 8.58, 8.59, 8.60, 9.2",
"product": {
"name": "PeopleSoft",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Virtualization versions 6.1.x ant\u00e9rieures \u00e0 6.1.44",
"product": {
"name": "Virtualization",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle MySQL versions 8.0.33 et ant\u00e9rieures",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Systems versions 10, 11",
"product": {
"name": "Systems",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle Virtualization versions 7.0.x ant\u00e9rieures \u00e0 7.0.8",
"product": {
"name": "Virtualization",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle MySQL versions 5.7.41 et ant\u00e9rieures",
"product": {
"name": "MySQL",
"vendor": {
"name": "Oracle",
"scada": false
}
}
},
{
"description": "Oracle WebLogic Server versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0",
"product": {
"name": "Weblogic",
"vendor": {
"name": "Oracle",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2023-21938",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21938"
},
{
"name": "CVE-2023-21916",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21916"
},
{
"name": "CVE-2023-21985",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21985"
},
{
"name": "CVE-2023-21979",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21979"
},
{
"name": "CVE-2023-21986",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21986"
},
{
"name": "CVE-2020-14343",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14343"
},
{
"name": "CVE-2023-21954",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21954"
},
{
"name": "CVE-2023-21940",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21940"
},
{
"name": "CVE-2023-21939",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21939"
},
{
"name": "CVE-2023-21962",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21962"
},
{
"name": "CVE-2022-31160",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31160"
},
{
"name": "CVE-2022-45061",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45061"
},
{
"name": "CVE-2023-21917",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21917"
},
{
"name": "CVE-2023-21984",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21984"
},
{
"name": "CVE-2023-21956",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21956"
},
{
"name": "CVE-2023-0215",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-0215"
},
{
"name": "CVE-2023-21945",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21945"
},
{
"name": "CVE-2022-42916",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42916"
},
{
"name": "CVE-2023-21966",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21966"
},
{
"name": "CVE-2023-21947",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21947"
},
{
"name": "CVE-2023-22002",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22002"
},
{
"name": "CVE-2023-21981",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21981"
},
{
"name": "CVE-2023-21987",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21987"
},
{
"name": "CVE-2023-21977",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21977"
},
{
"name": "CVE-2023-21971",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21971"
},
{
"name": "CVE-2023-21999",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21999"
},
{
"name": "CVE-2023-21928",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21928"
},
{
"name": "CVE-2023-21972",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21972"
},
{
"name": "CVE-2023-21960",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21960"
},
{
"name": "CVE-2021-37533",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37533"
},
{
"name": "CVE-2023-21990",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21990"
},
{
"name": "CVE-2023-22000",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22000"
},
{
"name": "CVE-2023-21913",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21913"
},
{
"name": "CVE-2023-23918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-23918"
},
{
"name": "CVE-2021-36090",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36090"
},
{
"name": "CVE-2023-21963",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21963"
},
{
"name": "CVE-2023-21980",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21980"
},
{
"name": "CVE-2020-6950",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-6950"
},
{
"name": "CVE-2023-21996",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21996"
},
{
"name": "CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"name": "CVE-2023-21953",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21953"
},
{
"name": "CVE-2023-21934",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21934"
},
{
"name": "CVE-2023-22003",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22003"
},
{
"name": "CVE-2023-21998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21998"
},
{
"name": "CVE-2022-37434",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37434"
},
{
"name": "CVE-2023-21946",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21946"
},
{
"name": "CVE-2023-21933",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21933"
},
{
"name": "CVE-2023-21931",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21931"
},
{
"name": "CVE-2023-21937",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21937"
},
{
"name": "CVE-2022-45143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45143"
},
{
"name": "CVE-2023-21896",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21896"
},
{
"name": "CVE-2022-43551",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43551"
},
{
"name": "CVE-2023-21964",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21964"
},
{
"name": "CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2022-43548",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43548"
},
{
"name": "CVE-2023-21920",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21920"
},
{
"name": "CVE-2022-45685",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45685"
},
{
"name": "CVE-2023-21918",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21918"
},
{
"name": "CVE-2023-21992",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21992"
},
{
"name": "CVE-2023-21911",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21911"
},
{
"name": "CVE-2023-21976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21976"
},
{
"name": "CVE-2021-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
},
{
"name": "CVE-2023-21968",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21968"
},
{
"name": "CVE-2023-21991",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21991"
},
{
"name": "CVE-2023-21989",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21989"
},
{
"name": "CVE-2023-21982",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21982"
},
{
"name": "CVE-2023-21930",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21930"
},
{
"name": "CVE-2023-24998",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-24998"
},
{
"name": "CVE-2023-21935",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21935"
},
{
"name": "CVE-2020-25638",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25638"
},
{
"name": "CVE-2023-21955",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21955"
},
{
"name": "CVE-2023-21988",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21988"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2022-45047",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45047"
},
{
"name": "CVE-2022-36033",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36033"
},
{
"name": "CVE-2023-21912",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21912"
},
{
"name": "CVE-2023-21929",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21929"
},
{
"name": "CVE-2023-21967",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21967"
},
{
"name": "CVE-2023-22001",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22001"
},
{
"name": "CVE-2022-41881",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41881"
},
{
"name": "CVE-2023-21948",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21948"
},
{
"name": "CVE-2023-21919",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-21919"
}
],
"initial_release_date": "2023-04-19T00:00:00",
"last_revision_date": "2023-04-20T00:00:00",
"links": [],
"reference": "CERTFR-2023-AVI-0325",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-04-19T00:00:00.000000"
},
{
"description": "Correction coquilles.",
"revision_date": "2023-04-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nOracle. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Oracle",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Oracle cpuapr2023 du 18 avril 2023",
"url": "https://www.oracle.com/security-alerts/cpuapr2023.html"
}
]
}
CERTFR-2023-AVI-0276
Vulnerability from certfr_avis - Published: 2023-03-31 - Updated: 2023-03-31
De multiples vulnérabilités ont été découvertes dans IBM. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une élévation de privilèges, une atteinte à l'intégrité des données, un contournement de la politique de sécurité, une injection de code indirecte à distance (XSS), une exécution de code arbitraire à distance, un déni de service à distance et un problème de sécurité non spécifié par l'éditeur.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | WebSphere | IBM WebSphere Hybrid Edition 5.1 sans le correctif de sécurité APAR PH52925 | ||
| IBM | WebSphere | IBM WebSphere Automation versions antérieures à 1.5.2 | ||
| IBM | WebSphere | IBM WebSphere Application Server 9.0 sans le correctif de sécurité APAR PH52925 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.5.0 UP5 | ||
| IBM | Db2 | IBM Db2 Web Queryfor i versions 2.3.0 et 2.4.0 sans le correctif de sécurité 5733WQX | ||
| IBM | Spectrum | IBM Spectrum Protect Plus Server versions antérieures à 10.1.12.4 | ||
| IBM | N/A | IBM HTTP Server for i sans le correctif de sécurité 5770DG1 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.5.0 UP4 IF01 | ||
| IBM | QRadar User Behavior Analytics | QRadar User Behavior Analytics versions 1.0.0 à 4.1.10 antérieures à 4.1.11 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.4.3 FP9 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM WebSphere Hybrid Edition 5.1 sans le correctif de s\u00e9curit\u00e9 APAR PH52925",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Automation versions ant\u00e9rieures \u00e0 1.5.2",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM WebSphere Application Server 9.0 sans le correctif de s\u00e9curit\u00e9 APAR PH52925",
"product": {
"name": "WebSphere",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.5.0 UP5",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Db2 Web Queryfor i versions 2.3.0 et 2.4.0 sans le correctif de s\u00e9curit\u00e9 5733WQX",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Spectrum Protect Plus Server versions ant\u00e9rieures \u00e0 10.1.12.4",
"product": {
"name": "Spectrum",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM HTTP Server for i sans le correctif de s\u00e9curit\u00e9 5770DG1",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.5.0 UP4 IF01",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar User Behavior Analytics versions 1.0.0 \u00e0 4.1.10 ant\u00e9rieures \u00e0 4.1.11",
"product": {
"name": "QRadar User Behavior Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.4.3 FP9",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-28733",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28733"
},
{
"name": "CVE-2022-31129",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31129"
},
{
"name": "CVE-2022-32189",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32189"
},
{
"name": "CVE-2020-24025",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24025"
},
{
"name": "CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"name": "CVE-2023-26283",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26283"
},
{
"name": "CVE-2022-30631",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30631"
},
{
"name": "CVE-2022-23825",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23825"
},
{
"name": "CVE-2021-39227",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-39227"
},
{
"name": "CVE-2021-23364",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23364"
},
{
"name": "CVE-2022-22971",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22971"
},
{
"name": "CVE-2021-37701",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37701"
},
{
"name": "CVE-2021-25220",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25220"
},
{
"name": "CVE-2022-2964",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2964"
},
{
"name": "CVE-2021-3677",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3677"
},
{
"name": "CVE-2018-19797",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19797"
},
{
"name": "CVE-2021-32804",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32804"
},
{
"name": "CVE-2018-19827",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19827"
},
{
"name": "CVE-2018-15494",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15494"
},
{
"name": "CVE-2022-30635",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30635"
},
{
"name": "CVE-2018-11694",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11694"
},
{
"name": "CVE-2022-41715",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41715"
},
{
"name": "CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"name": "CVE-2018-8036",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-8036"
},
{
"name": "CVE-2022-25647",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25647"
},
{
"name": "CVE-2022-29900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29900"
},
{
"name": "CVE-2022-29901",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29901"
},
{
"name": "CVE-2022-36364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36364"
},
{
"name": "CVE-2022-4883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4883"
},
{
"name": "CVE-2022-41966",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41966"
},
{
"name": "CVE-2022-21624",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21624"
},
{
"name": "CVE-2020-13936",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13936"
},
{
"name": "CVE-2022-30629",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30629"
},
{
"name": "CVE-2022-40153",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40153"
},
{
"name": "CVE-2022-42252",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42252"
},
{
"name": "CVE-2022-32148",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-32148"
},
{
"name": "CVE-2022-40149",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40149"
},
{
"name": "CVE-2022-21626",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21626"
},
{
"name": "CVE-2020-7764",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-7764"
},
{
"name": "CVE-2022-41946",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41946"
},
{
"name": "CVE-2022-25927",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25927"
},
{
"name": "CVE-2022-30630",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30630"
},
{
"name": "CVE-2021-37713",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37713"
},
{
"name": "CVE-2021-42581",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42581"
},
{
"name": "CVE-2022-1705",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1705"
},
{
"name": "CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"name": "CVE-2021-37712",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37712"
},
{
"name": "CVE-2022-21724",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21724"
},
{
"name": "CVE-2022-46364",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46364"
},
{
"name": "CVE-2022-40150",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40150"
},
{
"name": "CVE-2022-24999",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24999"
},
{
"name": "CVE-2022-30633",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30633"
},
{
"name": "CVE-2019-10785",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10785"
},
{
"name": "CVE-2022-21628",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21628"
},
{
"name": "CVE-2022-24823",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24823"
},
{
"name": "CVE-2021-37136",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37136"
},
{
"name": "CVE-2022-30632",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30632"
},
{
"name": "CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"name": "CVE-2022-40152",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40152"
},
{
"name": "CVE-2021-3807",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3807"
},
{
"name": "CVE-2022-46363",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46363"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2022-1962",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1962"
},
{
"name": "CVE-2021-23382",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23382"
},
{
"name": "CVE-2019-6286",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6286"
},
{
"name": "CVE-2022-2795",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2795"
},
{
"name": "CVE-2020-5259",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-5259"
},
{
"name": "CVE-2022-28131",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-28131"
},
{
"name": "CVE-2021-26401",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-26401"
},
{
"name": "CVE-2022-24785",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24785"
},
{
"name": "CVE-2021-23450",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23450"
},
{
"name": "CVE-2018-19839",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19839"
},
{
"name": "CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"name": "CVE-2021-32803",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32803"
},
{
"name": "CVE-2022-4254",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-4254"
},
{
"name": "CVE-2022-2880",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2880"
},
{
"name": "CVE-2023-22809",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22809"
},
{
"name": "CVE-2018-20821",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20821"
},
{
"name": "CVE-2022-45143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45143"
},
{
"name": "CVE-2022-26373",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-26373"
},
{
"name": "CVE-2022-2879",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2879"
},
{
"name": "CVE-2019-6283",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6283"
},
{
"name": "CVE-2019-6284",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6284"
},
{
"name": "CVE-2022-42898",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42898"
},
{
"name": "CVE-2022-25901",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25901"
},
{
"name": "CVE-2020-15366",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-15366"
},
{
"name": "CVE-2022-22970",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22970"
},
{
"name": "CVE-2022-1552",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1552"
},
{
"name": "CVE-2022-3676",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3676"
},
{
"name": "CVE-2022-42890",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42890"
},
{
"name": "CVE-2022-23437",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23437"
},
{
"name": "CVE-2022-34917",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34917"
},
{
"name": "CVE-2021-23343",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23343"
},
{
"name": "CVE-2022-2588",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2588"
},
{
"name": "CVE-2022-43928",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-43928"
},
{
"name": "CVE-2021-42740",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-42740"
},
{
"name": "CVE-2021-3918",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3918"
},
{
"name": "CVE-2018-20190",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20190"
},
{
"name": "CVE-2022-30580",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-30580"
},
{
"name": "CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"name": "CVE-2022-40156",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40156"
},
{
"name": "CVE-2022-2625",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-2625"
},
{
"name": "CVE-2022-40155",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40155"
},
{
"name": "CVE-2022-23816",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-23816"
},
{
"name": "CVE-2022-31197",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31197"
},
{
"name": "CVE-2018-19838",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19838"
},
{
"name": "CVE-2022-37599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
},
{
"name": "CVE-2021-23368",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23368"
},
{
"name": "CVE-2018-11698",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11698"
},
{
"name": "CVE-2021-29060",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-29060"
},
{
"name": "CVE-2022-36033",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-36033"
},
{
"name": "CVE-2021-3765",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3765"
},
{
"name": "CVE-2022-25758",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25758"
},
{
"name": "CVE-2021-23362",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23362"
},
{
"name": "CVE-2022-21619",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21619"
},
{
"name": "CVE-2022-37598",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37598"
},
{
"name": "CVE-2022-24839",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24839"
},
{
"name": "CVE-2022-40154",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-40154"
},
{
"name": "CVE-2022-41704",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41704"
},
{
"name": "CVE-2022-27664",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-27664"
}
],
"initial_release_date": "2023-03-31T00:00:00",
"last_revision_date": "2023-03-31T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967365 du 20 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967365"
},
{
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967333 du 30 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967333"
}
],
"reference": "CERTFR-2023-AVI-0276",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-03-31T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eIBM\u003c/span\u003e. Elles permettent \u00e0 un attaquant de provoquer\nune atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une \u00e9l\u00e9vation de\nprivil\u00e8ges, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es, un contournement de\nla politique de s\u00e9curit\u00e9, une injection de code indirecte \u00e0 distance\n(XSS), une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967016 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967016"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967283 du 15 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967283"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967333 du 20 mars 2023",
"url": null
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967285 du 28 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967285"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6966998 du 29 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6966998"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967315 du 30 mars 2023",
"url": "https://www.ibm.com/support/pages/node/6967315"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6967365 du 30 mars 2023",
"url": null
}
]
}
CERTFR-2023-AVI-0001
Vulnerability from certfr_avis - Published: 2023-01-04 - Updated: 2023-01-04
Une vulnérabilité a été découverte dans Apache Tomcat. Elle permet à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Apache Tomcat versions 9.x ant\u00e9rieures \u00e0 9.0.69",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
},
{
"description": "Apache Tomcat versions 8.x ant\u00e9rieures \u00e0 8.5.84",
"product": {
"name": "Tomcat",
"vendor": {
"name": "Apache",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-45143",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-45143"
}
],
"initial_release_date": "2023-01-04T00:00:00",
"last_revision_date": "2023-01-04T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 Apache\u00a08.5.84 du 21 novembre 2022",
"url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.84"
}
],
"reference": "CERTFR-2023-AVI-0001",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2023-01-04T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Apache Tomcat. Elle permet \u00e0 un\nattaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par\nl\u0027\u00e9diteur.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Apache Tomcat",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apache 9.0.69 du 14 novembre 2022",
"url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.69"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Apache 8.5.84 du 21 novembre 2022",
"url": null
}
]
}
GHSA-RQ2W-37H9-VG94
Vulnerability from github – Published: 2023-01-03 21:30 – Updated: 2024-04-23 21:44
VLAI?
Summary
Apache Tomcat improperly escapes input from JsonErrorReportValve
Details
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.83"
},
{
"fixed": "8.5.84"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.83"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 9.0.68"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.69"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat.embed:tomcat-embed-core"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 10.1.1"
},
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-catalina"
},
"ranges": [
{
"events": [
{
"introduced": "10.1.0"
},
{
"fixed": "10.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-util"
},
"ranges": [
{
"events": [
{
"introduced": "8.5.83"
},
{
"fixed": "8.5.84"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"8.5.83"
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.tomcat:tomcat-util"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.69"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-45143"
],
"database_specific": {
"cwe_ids": [
"CWE-116",
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-05T12:02:50Z",
"nvd_published_at": "2023-01-03T19:15:00Z",
"severity": "HIGH"
},
"details": "The `JsonErrorReportValve` in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the `type`, `message` or `description` values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.",
"id": "GHSA-rq2w-37h9-vg94",
"modified": "2024-04-23T21:44:48Z",
"published": "2023-01-03T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa"
},
{
"type": "WEB",
"url": "https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/tomcat"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-37"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Tomcat improperly escapes input from JsonErrorReportValve"
}
cleanstart-2026-xi02879
Vulnerability from cleanstart
Published
2026-01-30 16:18
Modified
2026-01-29 18:58
Summary
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11
Details
Multiple security vulnerabilities affect the tomcat9 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "tomcat9"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.80-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the tomcat9 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-XI02879",
"modified": "2026-01-29T18:58:54Z",
"published": "2026-01-30T16:18:55.578686Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-XI02879.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-23181"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-29885"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-34305"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-42252"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-45143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-24998"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-28708"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23181"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29885"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34305"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42252"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28708"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11",
"upstream": [
"CVE-2022-23181",
"CVE-2022-29885",
"CVE-2022-34305",
"CVE-2022-42252",
"CVE-2022-45143",
"CVE-2023-24998",
"CVE-2023-28708"
]
}
cleanstart-2026-am95501
Vulnerability from cleanstart
Published
2026-02-03 00:37
Modified
2026-02-02 12:32
Summary
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11
Details
Multiple security vulnerabilities affect the tomcat10 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details.
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "tomcat10"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.0.80-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the tomcat10 package. When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-AM95501",
"modified": "2026-02-02T12:32:10Z",
"published": "2026-02-03T00:37:00.849369Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-AM95501.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-23181"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-29885"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-34305"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-42252"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-45143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-24998"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-28708"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23181"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29885"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34305"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-42252"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28708"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11",
"upstream": [
"CVE-2022-23181",
"CVE-2022-29885",
"CVE-2022-34305",
"CVE-2022-42252",
"CVE-2022-45143",
"CVE-2023-24998",
"CVE-2023-28708"
]
}
GSD-2022-45143
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-45143",
"description": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.",
"id": "GSD-2022-45143",
"references": [
"https://www.suse.com/security/cve/CVE-2022-45143.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-45143"
],
"details": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.",
"id": "GSD-2022-45143",
"modified": "2023-12-13T01:19:24.714720Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-45143",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Tomcat",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "affected",
"versions": [
{
"lessThanOrEqual": "10.1.1",
"status": "affected",
"version": "10.1.0-M1",
"versionType": "semver"
},
{
"lessThanOrEqual": "9.0.68",
"status": "affected",
"version": "9.0.40",
"versionType": "semver"
},
{
"status": "affected",
"version": "8.5.83"
}
]
}
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output."
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-116",
"lang": "eng",
"value": "CWE-116 Improper Encoding or Escaping of Output"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"name": "https://security.gentoo.org/glsa/202305-37",
"refsource": "MISC",
"url": "https://security.gentoo.org/glsa/202305-37"
}
]
},
"source": {
"discovery": "INTERNAL"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "[8.5.83],[9.0.40,9.0.69),[10.1.0,10.1.1]",
"affected_versions": "Version 8.5.83, all versions starting from 9.0.40 before 9.0.69, all versions starting from 10.1.0 up to 10.1.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2023-01-10",
"description": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.",
"fixed_versions": [
"9.0.69"
],
"identifier": "CVE-2022-45143",
"identifiers": [
"CVE-2022-45143",
"GHSA-rq2w-37h9-vg94"
],
"not_impacted": "",
"package_slug": "maven/org.apache.tomcat.embed/tomcat-embed-core",
"pubdate": "1970-01-01",
"solution": "Upgrade to version 9.0.69 or above.",
"title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-45143",
"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj",
"https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf",
"https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa",
"https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e",
"https://github.com/advisories/GHSA-rq2w-37h9-vg94"
],
"uuid": "d7c53739-5252-473b-92e8-181e1d441e85"
},
{
"affected_range": "[8.5.83],[9.0.40,9.0.69),[10.1.0,10.1.1]",
"affected_versions": "Version 8.5.83, all versions starting from 9.0.40 before 9.0.69, all versions starting from 10.1.0 up to 10.1.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-116",
"CWE-937"
],
"date": "2023-06-27",
"description": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.",
"fixed_versions": [
"8.5.84",
"9.0.69",
"10.1.2"
],
"identifier": "CVE-2022-45143",
"identifiers": [
"CVE-2022-45143"
],
"not_impacted": "All versions before 8.5.83, all versions after 8.5.83 before 9.0.40, all versions starting from 9.0.69 before 10.1.0, all versions after 10.1.1",
"package_slug": "maven/org.apache.tomcat/tomcat-catalina",
"pubdate": "2023-01-03",
"solution": "Upgrade to versions 8.5.84, 9.0.69, 10.1.2 or above.",
"title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-45143",
"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
],
"uuid": "1a515fb7-02be-41cc-b6f8-f14bbd3ebd32"
},
{
"affected_range": "[8.5.83],[9.0.40,9.0.69),[10.1.0,10.1.1]",
"affected_versions": "Version 8.5.83, all versions starting from 9.0.40 before 9.0.69, all versions starting from 10.1.0 up to 10.1.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-116",
"CWE-937"
],
"date": "2023-06-27",
"description": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.",
"fixed_versions": [
"8.5.84",
"9.0.69",
"10.1.2"
],
"identifier": "CVE-2022-45143",
"identifiers": [
"CVE-2022-45143",
"GHSA-rq2w-37h9-vg94"
],
"not_impacted": "All versions before 8.5.83, all versions after 8.5.83 before 9.0.40, all versions starting from 9.0.69 before 10.1.0, all versions after 10.1.1",
"package_slug": "maven/org.apache.tomcat/tomcat",
"pubdate": "2023-01-03",
"solution": "Upgrade to versions 8.5.84, 9.0.69, 10.1.2 or above.",
"title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-45143",
"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj",
"https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf",
"https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa",
"https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e",
"https://github.com/advisories/GHSA-rq2w-37h9-vg94"
],
"uuid": "fff1f45b-8789-481c-a48a-988f8099c96e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "9.0.69",
"versionStartIncluding": "9.0.40",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-45143"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj",
"refsource": "MISC",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"name": "https://security.gentoo.org/glsa/202305-37",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202305-37"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-06-27T13:15Z",
"publishedDate": "2023-01-03T19:15Z"
}
}
}
bit-tomcat-2022-45143
Vulnerability from bitnami_vulndb
Published
2024-03-06 11:09
Modified
2025-05-20 10:02
Summary
Apache Tomcat: JsonErrorReportValve escaping
Details
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "tomcat",
"purl": "pkg:bitnami/tomcat"
},
"ranges": [
{
"events": [
{
"introduced": "9.0.40"
},
{
"fixed": "9.0.69"
},
{
"introduced": "8.5.83"
},
{
"fixed": "8.5.84"
},
{
"introduced": "10.1.1"
},
{
"fixed": "10.1.2"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2022-45143"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*",
"cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*"
],
"severity": "High"
},
"details": "The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.",
"id": "BIT-tomcat-2022-45143",
"modified": "2025-05-20T10:02:07.006Z",
"published": "2024-03-06T11:09:02.789Z",
"references": [
{
"type": "WEB",
"url": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202305-37"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20230216-0009/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45143"
}
],
"schema_version": "1.5.0",
"summary": "Apache Tomcat: JsonErrorReportValve escaping"
}
CVE-2022-45143
Vulnerability from fstec - Published: 09.11.2022
VLAI Severity ?
Title
Уязвимость класса JsonErrorReportValve сервера приложений Apache Tomcat, позволяющая нарушителю оказать влияние на целостность защищаемой информации
Description
Уязвимость класса JsonErrorReportValve сервера приложений Apache Tomcat связана с недостатком механизма кодирования или экранирования выходных данных. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, оказать влияние на целостность защищаемой информации
Severity ?
Vendor
Сообщество свободного программного обеспечения, ООО «Ред Софт», АО «ИВК», АО "НППКТ", Oracle Corp., Apache Software Foundation
Software Name
Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Альт 8 СП (запись в едином реестре российских программ №4305), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), АЛЬТ СП 10, Oracle Exadata, Tomcat
Software Version
11 (Debian GNU/Linux), 7.3 (РЕД ОС), - (Альт 8 СП), до 2.8 (ОСОН ОСнова Оnyx), - (АЛЬТ СП 10), 21.2.23.0.0 (Patch 35130088) (Oracle Exadata), 21.2.23.0.0 (Patch 35277269) (Oracle Exadata), 8.5.83 (Tomcat), от 9.0.40 до 9.0.69 (Tomcat), от 10.1.0-M1 до 10.1.2 (Tomcat)
Possible Mitigations
Использование рекомендаций:
Для Apache Tomcat:
https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-9.html
https://tomcat.apache.org/security-8.html
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2022-45143
Для Oracle Exadata:
Обновление до версии 21.2.24.0.0:
https://blogs.oracle.com/exadata/post/software-2023-may
Для ОСОН ОСнова Оnyx:
Обновление программного обеспечения tomcat9 до версии 9.0.43+repack-2~deb11u6.osnova1
Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для ОС АЛЬТ СП 10: установка обновления из публичного репозитория программного средства: https://altsp.su/obnovleniya-bezopasnosti/
Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства: https://altsp.su/obnovleniya-bezopasnosti/
Reference
https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
https://security.gentoo.org/glsa/202305-37
https://security-tracker.debian.org/tracker/CVE-2022-45143
https://www.openwall.com/lists/oss-security/2023/01/03/1
https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e
https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/JsonErrorReportValve.html
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.8/
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
https://altsp.su/obnovleniya-bezopasnosti/
https://altsp.su/obnovleniya-bezopasnosti/
CWE
CWE-116
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:C/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Oracle Corp., Apache Software Foundation",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "11 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 2.8 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10), 21.2.23.0.0 (Patch 35130088) (Oracle Exadata), 21.2.23.0.0 (Patch 35277269) (Oracle Exadata), 8.5.83 (Tomcat), \u043e\u0442 9.0.40 \u0434\u043e 9.0.69 (Tomcat), \u043e\u0442 10.1.0-M1 \u0434\u043e 10.1.2 (Tomcat)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Apache Tomcat:\nhttps://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj\nhttps://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf\nhttps://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e\nhttps://tomcat.apache.org/security-10.html\nhttps://tomcat.apache.org/security-9.html\nhttps://tomcat.apache.org/security-8.html\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2022-45143\n\n\u0414\u043b\u044f Oracle Exadata:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 21.2.24.0.0:\nhttps://blogs.oracle.com/exadata/post/software-2023-may\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f tomcat9 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 9.0.43+repack-2~deb11u6.osnova1\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u041b\u042c\u0422 \u0421\u041f 10: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430: https://altsp.su/obnovleniya-bezopasnosti/\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430: https://altsp.su/obnovleniya-bezopasnosti/",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "09.11.2022",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "29.07.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "13.05.2024",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-03597",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-45143",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u0410\u041b\u042c\u0422 \u0421\u041f 10, Oracle Exadata, Tomcat",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f - (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.8 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043b\u0430\u0441\u0441\u0430 JsonErrorReportValve \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Apache Tomcat, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043b\u0438\u044f\u043d\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043a\u043e\u0440\u0440\u0435\u043a\u0442\u043d\u043e\u0435 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0438\u043b\u0438 \u0441\u043e\u043a\u0440\u044b\u0442\u0438\u0435 \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-116)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043b\u0430\u0441\u0441\u0430 JsonErrorReportValve \u0441\u0435\u0440\u0432\u0435\u0440\u0430 \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u0439 Apache Tomcat \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u043e\u043c \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u043a\u043e\u0434\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0438\u043b\u0438 \u044d\u043a\u0440\u0430\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f \u0432\u044b\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043e\u043a\u0430\u0437\u0430\u0442\u044c \u0432\u043b\u0438\u044f\u043d\u0438\u0435 \u043d\u0430 \u0446\u0435\u043b\u043e\u0441\u0442\u043d\u043e\u0441\u0442\u044c \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj \nhttps://security.gentoo.org/glsa/202305-37\nhttps://security-tracker.debian.org/tracker/CVE-2022-45143\nhttps://www.openwall.com/lists/oss-security/2023/01/03/1\nhttps://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf\nhttps://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e\nhttps://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/valves/JsonErrorReportValve.html\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.8/\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://altsp.su/obnovleniya-bezopasnosti/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u0421\u0423\u0411\u0414, \u0421\u0435\u0442\u0435\u0432\u043e\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0435 \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-116",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…