The "JsonErrorReportValve" in Apache Tomcat versions 8.5.83, 9.0.40 through 9.0.68, and 10.0.0-M10 through 10.1.1 did not escape the "type", "message", or "description" values. In some circumstances, these are constructed from user-provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
HIGH Vulnerable Package issue exists @ org.apache.tomcat.embed:tomcat-embed-core in branch master
Description
The "JsonErrorReportValve" in Apache Tomcat versions 8.5.83, 9.0.40 through 9.0.68, and 10.0.0-M10 through 10.1.1 did not escape the "type", "message", or "description" values. In some circumstances, these are constructed from user-provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.
HIGH Vulnerable Package issue exists @ org.apache.tomcat.embed:tomcat-embed-core in branch master
Vulnerability ID: CVE-2022-45143
Package Name: org.apache.tomcat.embed:tomcat-embed-core
Severity: HIGH
CVSS Score: 7.5
Publish Date: 2023-01-03T19:15:00
Current Package Version: 9.0.55
Remediation Upgrade Recommendation: 10.1.16
Link To SCA
Reference – NVD link