The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. https://lists.apache.org/thread/yqkd183xrw3wqvnpcg3osbcryq85fkzj
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 2158760] Affects: fedora-all [bug 2158759]
Commits: https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e https://github.com/apache/tomcat/commit/0cab3a56bd89f70e7481bb0d68395dc7e130dbbf
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:1663 https://access.redhat.com/errata/RHSA-2023:1663
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2023:1664 https://access.redhat.com/errata/RHSA-2023:1664
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-45143
This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954
This issue has been addressed in the following products: Red Hat support for Spring Boot 2.7.13 Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).