https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Bug ID: 2102817 Summary: CVE-2022-34305 tomcat: XSS in examples web application Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: pdelbell@redhat.com CC: aileenc@redhat.com, alee@redhat.com, chazlett@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, gmalinko@redhat.com, gzaronikas@gmail.com, huwang@redhat.com, ivan.afonichev@gmail.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jclere@redhat.com, jochrist@redhat.com, jpavlik@redhat.com, jwon@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, mmadzin@redhat.com, pdelbell@redhat.com, peholase@redhat.com, pjindal@redhat.com, rhcs-maint@redhat.com, szappis@redhat.com Blocks: 2102443 Target Milestone: --- Classification: Other
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k http://www.openwall.com/lists/oss-security/2022/06/23/1
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Patrick Del Bello pdelbell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2102819
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2102819 [Bug 2102819] CVE-2022-34305 tomcat: XSS in examples web application [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
--- Comment #1 from Patrick Del Bello pdelbell@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: fedora-all [bug 2102819]
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Patrick Del Bello pdelbell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|medium |low Severity|medium |low
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in the Apache Tomcat package. An example web application did not filter the form authentication example, exposing a Cross-site scripting (XSS) vulnerability.
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
shalini skhandel@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mharmsen@redhat.c | |om) Doc Type|--- |If docs needed, set a value CC| |mharmsen@redhat.com, | |skhandel@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Matthew Harmsen mharmsen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(csutherl@redhat.c | |om) | |needinfo?(jmullike@redhat.c | |om) CC| |ckelley@redhat.com, | |edewata@redhat.com, | |jmullike@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Matthew Harmsen mharmsen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mharmsen@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Coty Sutherland csutherl@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(csutherl@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(jmullike@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Patrick Del Bello pdelbell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |Tomcat 10.1.0-M17, Tomcat | |10.0.23, Tomcat 9.0.65, | |Tomcat 8.5.82
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Petr Čech pcech@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mharmsen@redhat.c | |om) CC| |pcech@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2102817
Matthew Harmsen mharmsen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mharmsen@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=2102817 Bug 2102817 depends on bug 2102819, which changed state.
Bug 2102819 Summary: CVE-2022-34305 tomcat: XSS in examples web application [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2102819
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
java-sig-commits@lists.stg.fedoraproject.org