CVE-2019-0221
MEDIUM6.1EPSS 14.5%tomcat7 - security update
Published: 5/30/2019Modified: 4/28/2026
Description
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Affected packages (3)
- Debian/tomcat7from 0, < 7.0.56-3+really7.0.94-1
- Debian/tomcat9from 0, < 9.0.16-4
- Maven/org.apache.tomcat.embed:tomcat-embed-core>= 9.0.0, < 9.0.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (48)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-0221
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-0221
- PATCHhttps://github.com/apache/tomcat
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
- WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
- WEBhttp://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
- WEBhttps://access.redhat.com/errata/RHSA-2019:3929
- WEBhttps://access.redhat.com/errata/RHSA-2019:3931
- WEBhttp://seclists.org/fulldisclosure/2019/May/50
- WEBhttps://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea
- WEBhttps://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e
- WEBhttps://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da
- WEBhttps://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.debian.org/debian-lts-announce/2019/05/msg00044.html
- WEBhttps://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
- WEBhttps://seclists.org/bugtraq/2019/Dec/43
- WEBhttps://security.gentoo.org/glsa/202003-43
- WEBhttps://security.netapp.com/advisory/ntap-20190606-0001
- WEBhttps://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS
- WEBhttps://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS
- WEBhttps://tomcat.apache.org/security-7.html
- WEBhttps://tomcat.apache.org/security-8.html
- WEBhttps://tomcat.apache.org/security-9.html
- WEBhttps://usn.ubuntu.com/4128-1
- WEBhttps://usn.ubuntu.com/4128-2
- WEBhttps://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545
- WEBhttps://www.debian.org/security/2019/dsa-4596
- WEBhttps://www.oracle.com/security-alerts/cpuapr2020.html
- WEBhttps://www.oracle.com/security-alerts/cpuApr2021.html
- WEBhttps://www.oracle.com/security-alerts/cpujan2020.html
- WEBhttps://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221