CVE-2022-34305: Apache Tomcat Cross-Site Scripting Vulnerability
Tomcat released the latest security bulletin on June 23, which contains a cross-site scripting vulnerability (CVE-2022-34305). Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted websites. The malicious script can access any cookies, session tokens, or other sensitive information retained by your browser. This vulnerability may be used by attackers to bypass access controls such as the same-origin policy.
The Tomcat server is a free open-source web application server. It is a lightweight application server. It is widely used in small and medium-sized systems and concurrent access users. It is the first choice for developing and debugging JSP programs.
The Form authentication example in the examples web application displayed user-provided data without filtering, exposing an XSS vulnerability.
- Apache Tomcat 10.1.0-M1 to 10.1.0-M16
- Apache Tomcat 10.0.0-M1 to 10.0.22
- Apache Tomcat 9.0.30 to 9.0.64
- Apache Tomcat 8.5.50 to 8.5.81
- Apache Tomcat 10.1.0-M17 or later
- Apache Tomcat 10.0.23 or later
- Apache Tomcat 9.0.65 or later
- Apache Tomcat 8.5.82 or later
Tomcat has fixed the CVE-2022-34305 flaw in the latest version, and it is recommended that affected users upgrade the updates as soon as possible.