Apache released a vulnerability report for Tomcat: XSS in examples web application CVE-2022-34305
This issue was reported to the Apache Tomcat Security Team on 22 June 2022 and made public on 23 June 2022.
Affects: 9.0.30 to 9.0.64
Reference: Apache Tomcat 9.x vulnerabilities
API Gateway 10.1 uses Tomcat library v9.0.52 ( tomcat-embed-core-9.0.52-l7p1.jar ), which is in the range of the affected Tomcat versions.
API Gateway 10.1
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
CVE-2022-34305 does not apply in the product because the requirements for the vulnerability to be effective are not met in the Gateway.
We do not deploy any example applications/servlets in Tomcat, hence there's no impact