Fix CVE-2022-34305 XSS in the examples web application · apache/tomcat@8b60af9 · GitHub
Skip to content

Commit

Permalink
Fix CVE-2022-34305 XSS in the examples web application
Browse files Browse the repository at this point in the history 
The session attributes are the primary concern but filter the Principal
attributes as well to be on the safe side.
  • Loading branch information
@markt-asf
markt-asf committed Jun 23, 2022
1 parent 1bef182 commit 8b60af9
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 2 deletions.
4 changes: 4 additions & 0 deletions webapps/docs/changelog.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,10 @@
Documentation. <bug>62245</bug>: Include <code>contextXsltFile</code>
when discussing options for configuring directory listings. (markt)
</fix>
<fix>
Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
Form authentication example. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
Expand Down
11 changes: 9 additions & 2 deletions webapps/examples/jsp/security/protected/index.jsp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,11 @@ enter it here:
}
type = type.replaceFirst("^java\\.lang\\.", "");
%>
<tr><td><%= name %></td><td><%= value %></td><td><%= type %></td>
<tr>
<td><%= util.HTMLFilter.filter(name) %></td>
<td><%= util.HTMLFilter.filter(String.valueOf(value)) %></td>
<td><%= util.HTMLFilter.filter(type) %></td>
</tr>
<%
}
%>
Expand Down Expand Up @@ -139,7 +143,10 @@ To add some data to the authenticated session, enter it here:
while (names.hasMoreElements()) {
String name = names.nextElement();
%>
<tr><td><%= name %></td><td><%= session.getAttribute(name) %></td>
<tr>
<td><%= util.HTMLFilter.filter(name) %></td>
<td><%= util.HTMLFilter.filter(String.valueOf(session.getAttribute(name))) %></td>
</tr>
<%
}
%>
Expand Down

8 comments on commit 8b60af9

@ManjunathMS35
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markt-asf Sorry to contact you like this.

From our team we are getting the CVE-2022-34305 reported by BlackDuck scanning tool for several dependencies of Tomcat which we use from Spring boot, some of the dependencies are listed below

  1. org.apache.tomcat:tomcat-jdbc:9.0.63
  2. org.apache.tomcat:tomcat-servlet-api:9.0.63
  3. org.apache.tomcat:tomcat-annotations-api:9.0.63
  4. org.apache.tomcat:tomcat-el-api:9.0.63
  5. org.apache.tomcat:tomcat-jsp-api:9.0.63
  6. org.apache.tomcat:tomcat-juli:9.0.63
  7. org.apache.tomcat.embed:tomcat-embed-websocket:9.0.63
  8. org.apache.tomcat.embed:tomcat-embed-core:9.0.63
  9. org.apache.tomcat.embed:tomcat-embed-jasper:9.0.63
  10. org.apache.tomcat.embed:tomcat-embed-el:9.0.63

These dependencies does not contain the vulnerable example app code at all and I was wandering this might be a false positive. I couldn't confirm this, so could you please let me know which exact dependency is affected by this CVE?

@markt-asf
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of the 9.0.63 JAR files are affected by this CVE.

@ManjunathMS35
Copy link

@ManjunathMS35 ManjunathMS35 commented on 8b60af9 Jul 11, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@markt-asf If none of the 9.0.63 JAR files are affected by this vulnerability then why it is included in the advisory list of affected ranges here https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k ?

@markt-asf
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because a Tomcat installation consists of more than just JAR files. This vulnerability was in a JSP.

@spartan1998
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @markt-asf
Can you please confirm the affected jsp file and the path for that file?

@markt-asf
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spartan1998 Try reading the diff at the top of this page.

@spartan1998
Copy link

@spartan1998 spartan1998 commented on 8b60af9 Jul 13, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to know if this is a fix for the vulnerability because according to Apache official page, the fixed version is still not released.

@markt-asf
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which part of "Fix CVE-2022-34305" in both the commit comment and the change log entry is unclear?

Please sign in to comment.