2102817 – (CVE-2022-34305) CVE-2022-34305 tomcat: XSS in examples web application

Bug 2102817 (CVE-2022-34305) - CVE-2022-34305 tomcat: XSS in examples web application

Summary: CVE-2022-34305 tomcat: XSS in examples web application

Keywords:
Status:	NEW
Alias:	CVE-2022-34305
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2102819
Blocks:	2102443
TreeView+	depends on / blocked

Reported:	2022-06-30 17:52 UTC by Patrick Del Bello
Modified:	2024-03-08 18:04 UTC (History)
CC List:	25 users (show)
Fixed In Version:	Tomcat 10.1.0-M17, Tomcat 10.0.23, Tomcat 9.0.65, Tomcat 8.5.82
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Apache Tomcat package. An example web application did not filter the form authentication example, exposing a Cross-site scripting (XSS) vulnerability.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Patrick Del Bello 2022-06-30 17:52:58 UTC

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k
http://www.openwall.com/lists/oss-security/2022/06/23/1

Comment 1 Patrick Del Bello 2022-06-30 17:56:16 UTC

Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2102819]

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alee
chazlett
ckelley
coolsvap
csutherl
edewata
gmalinko
gzaronikas
ivan.afonichev
janstey
java-sig-commits
jclere
jochrist
jwon
krzysztof.daniel
mharmsen
mmadzin
mulliken
pdelbell
peholase
pjindal
rhcs-maint
skhandel
szappis