CVE-2022-34305: 
Java vulnerability analysis and mitigation

A Cross-Site Scripting (XSS) vulnerability was discovered in Apache Tomcat's Form authentication example within the examples web application. The vulnerability affects Apache Tomcat versions 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64, and 8.5.50 to 8.5.81. The issue was disclosed on June 23, 2022, and stems from the application displaying user-provided data without proper filtering (Apache Advisory, NVD).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue (CWE-79) with a CVSS v3.1 Base Score of 6.1 (MEDIUM). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs user interaction (UI:R). The scope is changed (S:C) with low confidentiality impact (C:L) and low integrity impact (I:L), but no availability impact (A:N) (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or addition or modification of data. The vulnerability allows attackers to execute malicious scripts in the context of the user's browser session when the form authentication example is accessed (NetApp Advisory).

Users are advised to upgrade to Apache Tomcat versions 10.0.23, 9.0.65, or 8.5.82 or later, depending on their current version. These versions contain the necessary fixes for the vulnerability (Gentoo Advisory).