CVE-2019-0221
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-0221
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-0221.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2019-0221
- Aliases
- Related
- Published
- 2019-05-28T22:29:00Z
- Modified
- 2024-09-11T02:00:04Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
- References
-
- https://access.redhat.com/errata/RHSA-2019:3929
- https://access.redhat.com/errata/RHSA-2019:3931
- https://security.gentoo.org/glsa/202003-43
- https://security.netapp.com/advisory/ntap-20190606-0001/
- https://www.debian.org/security/2019/dsa-4596
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
- http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2019/May/50
- http://www.securityfocus.com/bid/108545
- https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html
- https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/
- https://seclists.org/bugtraq/2019/Dec/43
- https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS
- https://usn.ubuntu.com/4128-1/
- https://usn.ubuntu.com/4128-2/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
- https://security-tracker.debian.org/tracker/CVE-2019-0221
Affected packages
Debian:11 / tomcat9
Package
- Name
- tomcat9
- Purl
- pkg:deb/debian/tomcat9?arch=source
Debian:12 / tomcat9
Package
- Name
- tomcat9
- Purl
- pkg:deb/debian/tomcat9?arch=source
Debian:13 / tomcat9
Package
- Name
- tomcat9
- Purl
- pkg:deb/debian/tomcat9?arch=source
Git / github.com/apache/tomcat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/tomcat
- Events
-
Last affectedLast affectedLast affectedIntroducedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedIntroducedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedLast affectedIntroducedLast affectedLast affectedLast affected