CVE-2022-34305

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

CVSS v3 6.1 MEDIUM
CVSS v2.0 4.3 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/06/23/1	Mailing List Third Party Advisory
https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k	Mailing List Release Notes Third Party Advisory
https://security.gentoo.org/glsa/202208-34	Third Party Advisory
https://security.netapp.com/advisory/ntap-20220729-0006/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::

History

26 Oct 2022, 22:49

Type	Values Removed	Values Added
References	~~(GENTOO) https://security.gentoo.org/glsa/202208-34 -~~	(GENTOO) https://security.gentoo.org/glsa/202208-34 - Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20220729-0006/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20220729-0006/ - Third Party Advisory

21 Aug 2022, 05:15

Type	Values Removed	Values Added
References		(GENTOO) https://security.gentoo.org/glsa/202208-34 -

29 Jul 2022, 20:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20220729-0006/ -

29 Jun 2022, 16:42

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.3 v3 : 6.1
References	~~(MLIST) http://www.openwall.com/lists/oss-security/2022/06/23/1 -~~	(MLIST) http://www.openwall.com/lists/oss-security/2022/06/23/1 - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k -~~	(CONFIRM) https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k - Mailing List, Release Notes, Third Party Advisory
First Time		Apache Apache tomcat
CWE		CWE-79
CPE		cpe:2.3:a:apache:tomcat:10.1.0:milestone15:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone6:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone4:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone10:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone13:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone12:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone16:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone8:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone7:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone11:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone3:::::: cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone14:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone9:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone2:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone5:::::: cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::

23 Jun 2022, 17:15

Type	Values Removed	Values Added
References		(MLIST) http://www.openwall.com/lists/oss-security/2022/06/23/1 -
Summary	In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.	In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

23 Jun 2022, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-06-23 11:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-34305

Mitre link : CVE-2022-34305

CVE.ORG link : CVE-2022-34305

JSON object : View

Products Affected

apache

tomcat

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2022-34305

6.1^/10

4.3^/10

Attach tags to `CVE-2022-34305`