Apache released a vulnerability report for Tomcat: XSS in examples web application CVE-2022-34305

This issue was reported to the Apache Tomcat Security Team on 22 June 2022 and made public on 23 June 2022.
Affects: 9.0.30 to 9.0.64

Reference: Apache Tomcat 9.x vulnerabilities

API Gateway 10.1 uses Tomcat library v9.0.52 ( tomcat-embed-core-9.0.52-l7p1.jar ), which is in the range of the affected Tomcat versions.

API Gateway 10.1

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

CVE-2022-34305 does not apply in the product because the requirements for the vulnerability to be effective are not met in the Gateway.

We do not deploy any example applications/servlets in Tomcat, hence there's no impact