CVE-2022-45143
Improper Input Neutralization vulnerability in org.apache.tomcat.embed:tomcat-embed-core
What is CVE-2022-45143 About?
This Improper Input Neutralization vulnerability in Apache Tomcat's JsonErrorReportValve (versions 8.5.83, 9.0.40 to 9.0.68, and 10.1.0-M1 to 10.1.1) allows attackers to manipulate JSON output. It occurs because input values like 'type', 'message', or 'description' are not escaped, enabling users to inject data that invalidates or alters the JSON structure. Exploitation is plausible when user-provided data is used in error reports.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0, <10.1.2
- >9.0.40, <9.0.69
- >8.5.83, <8.5.84
- org.apache.tomcat:tomcat-catalina
- >10.1.0, <10.1.2
- org.apache.tomcat:tomcat-util
- >9.0.40, <9.0.69
- >8.5.83, <8.5.84
Technical Details
The `JsonErrorReportValve` in Apache Tomcat, specifically in versions 8.5.83, 9.0.40 to 9.0.68, and 10.1.0-M1 to 10.1.1, fails to properly escape user-provided data when constructing JSON error reports. The fields `type`, `message`, and `description` within these error reports can be populated with values sourced directly or indirectly from user input. Without proper escaping of special JSON characters (like double quotes or backslashes) in these fields, an attacker can supply input that prematurely terminates a JSON string, injects new JSON keys or values, or otherwise malforms the JSON structure. This manipulation can lead to invalid JSON output, potentially breaking systems that parse these error reports or even facilitate other attacks if the parsing system is vulnerable to injection.
What is the Impact of CVE-2022-45143?
Successful exploitation may allow attackers to manipulate JSON output, lead to data invalidation, or potentially disrupt systems that consume the JSON error reports.
What is the Exploitability of CVE-2022-45143?
Exploitation of this vulnerability requires an attacker to supply specially crafted input that will ultimately be used to populate the `type`, `message`, or `description` fields of a JSON error report. The complexity is low to moderate, as it involves understanding how errors are generated and rendered in JSON by Tomcat. There are no specific authentication or privilege requirements beyond the ability to trigger an error condition with attacker-controlled data. This attack is remote, as error messages are typically generated in response to HTTP requests. The likelihood of exploitation is higher in applications where user-provided input is reflected verbatim in error messages or logs without sufficient sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-45143?
Available Upgrade Options
- org.apache.tomcat:tomcat-catalina
- >10.1.0, <10.1.2 → Upgrade to 10.1.2
- org.apache.tomcat:tomcat-util
- >8.5.83, <8.5.84 → Upgrade to 8.5.84
- org.apache.tomcat:tomcat-util
- >9.0.40, <9.0.69 → Upgrade to 9.0.69
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.83, <8.5.84 → Upgrade to 8.5.84
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.40, <9.0.69 → Upgrade to 9.0.69
- org.apache.tomcat.embed:tomcat-embed-core
- >10.1.0, <10.1.2 → Upgrade to 10.1.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
- https://osv.dev/vulnerability/GHSA-rq2w-37h9-vg94
- https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
- https://github.com/apache/tomcat/commit/6a0ac6a438cbbb66b6e9c5223842f53bf0cb50aa
- https://security.gentoo.org/glsa/202305-37
- https://security.gentoo.org/glsa/202305-37
- https://github.com/apache/tomcat
- https://security.netapp.com/advisory/ntap-20230216-0009/
- https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
- https://nvd.nist.gov/vuln/detail/CVE-2022-45143
What are Similar Vulnerabilities to CVE-2022-45143?
Similar Vulnerabilities: CVE-2021-42340 , CVE-2021-43227 , CVE-2022-26166 , CVE-2022-29361 , CVE-2022-31192
