{"api_version":"1","generated_at":"2026-04-22T23:30:59+00:00","cve":"CVE-2022-45143","urls":{"html":"https://cve.report/CVE-2022-45143","api":"https://cve.report/api/cve/CVE-2022-45143.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-45143","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-45143"},"summary":{"title":"CVE-2022-45143","description":"The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2023-01-03 19:15:00","updated_at":"2023-06-27 13:15:00"},"problem_types":["CWE-116"],"metrics":[],"references":[{"url":"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj","name":"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202305-37","name":"https://security.gentoo.org/glsa/202305-37","refsource":"MISC","tags":[],"title":"Apache Tomcat: Multiple Vulnerabilities (GLSA 202305-37) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-45143","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-45143","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone10","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone11","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone12","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone13","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone14","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone15","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone16","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone17","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone3","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone4","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone5","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone6","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone7","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone8","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.0","cpe7":"milestone9","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"10.1.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"45143","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"8.5.83","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-45143","qid":"150628","title":"Apache Tomcat JsonErrorReportValve Injection Vulnerability (CVE-2022-45143)"},{"cve":"CVE-2022-45143","qid":"181700","title":"Debian Security Update for tomcat9 (DSA 5381-1)"},{"cve":"CVE-2022-45143","qid":"182371","title":"Debian Security Update for tomcat9 (CVE-2022-45143)"},{"cve":"CVE-2022-45143","qid":"20341","title":"Oracle Database 19c Critical Patch Update - April 2023"},{"cve":"CVE-2022-45143","qid":"20342","title":"Oracle Database 21c Critical Patch Update - April 2023"},{"cve":"CVE-2022-45143","qid":"20343","title":"Oracle Database 19c Critical OJVM Patch Update - April 2023"},{"cve":"CVE-2022-45143","qid":"20354","title":"Oracle Database 19c Critical Patch Update - July 2023"},{"cve":"CVE-2022-45143","qid":"20355","title":"Oracle Database 21c Critical Patch Update - July 2023"},{"cve":"CVE-2022-45143","qid":"20356","title":"Oracle Database 19c Critical OJVM Patch Update - July 2023"},{"cve":"CVE-2022-45143","qid":"355155","title":"Amazon Linux Security Advisory for tomcat9 : ALAS2023-2023-176"},{"cve":"CVE-2022-45143","qid":"356243","title":"Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-013"},{"cve":"CVE-2022-45143","qid":"356298","title":"Amazon Linux Security Advisory for tomcat : ALASTOMCAT9-2023-008"},{"cve":"CVE-2022-45143","qid":"710733","title":"Gentoo Linux Apache Tomcat Multiple Vulnerabilities (GLSA 202305-37)"},{"cve":"CVE-2022-45143","qid":"730681","title":"Apache Tomcat JsonErrorReportValve injection Vulnerability (CVE-2022-45143)"},{"cve":"CVE-2022-45143","qid":"730682","title":"Apache Tomcat JsonErrorReportValve injection Vulnerability (CVE-2022-45143)"},{"cve":"CVE-2022-45143","qid":"730683","title":"Apache Tomcat JsonErrorReportValve injection Vulnerability (CVE-2022-45143)"},{"cve":"CVE-2022-45143","qid":"730980","title":"Atlassian Confluence Data Center and Server Unauthenticated expose to assets (CONFSERVER-93173)"},{"cve":"CVE-2022-45143","qid":"753910","title":"SUSE Enterprise Linux Security Update for tomcat (SUSE-SU-2023:1853-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-45143","ASSIGNER":"security@apache.org","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-116 Improper Encoding or Escaping of Output","cweId":"CWE-116"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Apache Software Foundation","product":{"product_data":[{"product_name":"Apache Tomcat","version":{"version_data":[{"version_value":"not down converted","x_cve_json_5_version_data":{"versions":[{"lessThanOrEqual":"10.1.1","status":"affected","version":"10.1.0-M1","versionType":"semver"},{"lessThanOrEqual":"9.0.68","status":"affected","version":"9.0.40","versionType":"semver"},{"status":"affected","version":"8.5.83"}],"defaultStatus":"affected"}}]}}]}}]}},"references":{"reference_data":[{"url":"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj","refsource":"MISC","name":"https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj"},{"url":"https://security.gentoo.org/glsa/202305-37","refsource":"MISC","name":"https://security.gentoo.org/glsa/202305-37"}]},"generator":{"engine":"Vulnogram 0.1.0-dev"},"source":{"discovery":"INTERNAL"}},"nvd":{"publishedDate":"2023-01-03 19:15:00","lastModifiedDate":"2023-06-27 13:15:00","problem_types":["CWE-116"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone3:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone4:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone5:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone2:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone7:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone8:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone9:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone6:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone10:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone11:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone12:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone13:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone14:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone16:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone15:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.0:milestone17:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:10.1.1:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.40","versionEndExcluding":"9.0.69","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:tomcat:8.5.83:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}