CVE-2019-0221

State: PUBLISHED · Published: 2019-05-28 · Updated: 2024-08-04 · Assigner: apache

Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

CWE

(none)

Affected

Apache / Apache Tomcat — v=Apache Tomcat 9.0.0.M1 to 9.0.0.17 [affected]; v=8.5.0 to 8.5.39 [affected]; v=7.0.0 to 7.0.93 [affected]

CVSS

(none)

References

http://seclists.org/fulldisclosure/2019/May/50 mailing-list, x_refsource_FULLDISC
https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html mailing-list, x_refsource_MLIST
http://www.securityfocus.com/bid/108545 vdb-entry, x_refsource_BID
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/ vendor-advisory, x_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html vendor-advisory, x_refsource_SUSE
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/ vendor-advisory, x_refsource_FEDORA
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html vendor-advisory, x_refsource_SUSE
https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html mailing-list, x_refsource_MLIST
https://usn.ubuntu.com/4128-1/ vendor-advisory, x_refsource_UBUNTU
https://usn.ubuntu.com/4128-2/ vendor-advisory, x_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2019:3929 vendor-advisory, x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2019:3931 vendor-advisory, x_refsource_REDHAT
https://www.debian.org/security/2019/dsa-4596 vendor-advisory, x_refsource_DEBIAN
https://seclists.org/bugtraq/2019/Dec/43 mailing-list, x_refsource_BUGTRAQ
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E mailing-list, x_refsource_MLIST
https://security.gentoo.org/glsa/202003-43 vendor-advisory, x_refsource_GENTOO
https://www.oracle.com/security-alerts/cpuapr2020.html x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2020.html x_refsource_MISC
https://www.oracle.com/security-alerts/cpuApr2021.html x_refsource_MISC
https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20190606-0001/ x_refsource_CONFIRM
https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/ x_refsource_MISC
https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS x_refsource_CONFIRM
http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html x_refsource_MISC

Source

cvelistV5-main/cves/2019/0xxx/CVE-2019-0221.json