UBUNTU-CVE-2019-0221
- Source
- https://ubuntu.com/security/CVE-2019-0221
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-0221.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2019-0221
- Upstream
- Downstream
- Related
- Published
- 2019-05-28T00:00:00Z
- Modified
- 2025-09-08T16:45:10Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Ubuntu - low
- Summary
- [none]
- Details
-
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
- References
-
- https://ubuntu.com/security/CVE-2019-0221
- https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3Cb1905aa6-f340-8d0b-58c4-8ac3ebcbfa54@apache.org%3E
- https://ubuntu.com/security/notices/USN-4128-1
- https://ubuntu.com/security/notices/USN-4128-2
- https://www.cve.org/CVERecord?id=CVE-2019-0221
- https://ubuntu.com/security/notices/USN-6908-1
Affected packages
Ubuntu:16.04:LTS
tomcat8
Package
- Name
- tomcat8
- Purl
- pkg:deb/ubuntu/tomcat8@8.0.32-1ubuntu1.10?arch=source&distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.0.32-1ubuntu1.10
Affected versions
8.*
8.0.26-1
8.0.28-1
8.0.30-1
8.0.32-1
8.0.32-1ubuntu1
8.0.32-1ubuntu1.1
8.0.32-1ubuntu1.2
8.0.32-1ubuntu1.3
8.0.32-1ubuntu1.4
8.0.32-1ubuntu1.5
8.0.32-1ubuntu1.6
8.0.32-1ubuntu1.7
8.0.32-1ubuntu1.8
8.0.32-1ubuntu1.9
Ecosystem specific
{
"binaries": [
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "libservlet3.1-java"
},
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "libtomcat8-java"
},
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "tomcat8"
},
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "tomcat8-admin"
},
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "tomcat8-common"
},
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "tomcat8-docs"
},
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "tomcat8-examples"
},
{
"binary_version": "8.0.32-1ubuntu1.10",
"binary_name": "tomcat8-user"
}
],
"availability": "No subscription required"
}Ubuntu:18.04:LTS
tomcat8
Package
- Name
- tomcat8
- Purl
- pkg:deb/ubuntu/tomcat8@8.5.39-1ubuntu1~18.04.3?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.5.39-1ubuntu1~18.04.3
Affected versions
8.*
8.5.21-1ubuntu1
8.5.29-1
8.5.30-1
8.5.30-1ubuntu1
8.5.30-1ubuntu1.2
8.5.30-1ubuntu1.3
8.5.30-1ubuntu1.4
8.5.39-1ubuntu1~18.04.1
8.5.39-1ubuntu1~18.04.2
Ecosystem specific
{
"binaries": [
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "libtomcat8-embed-java"
},
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "libtomcat8-java"
},
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "tomcat8"
},
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "tomcat8-admin"
},
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "tomcat8-common"
},
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "tomcat8-docs"
},
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "tomcat8-examples"
},
{
"binary_version": "8.5.39-1ubuntu1~18.04.3",
"binary_name": "tomcat8-user"
}
],
"availability": "No subscription required"
}tomcat9
Package
- Name
- tomcat9
- Purl
- pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.1?arch=source&distro=bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.0.16-3ubuntu0.18.04.1
Ecosystem specific
{
"binaries": [
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "libtomcat9-embed-java"
},
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "libtomcat9-java"
},
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "tomcat9"
},
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "tomcat9-admin"
},
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "tomcat9-common"
},
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "tomcat9-docs"
},
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "tomcat9-examples"
},
{
"binary_version": "9.0.16-3ubuntu0.18.04.1",
"binary_name": "tomcat9-user"
}
],
"availability": "No subscription required"
}Ubuntu:Pro:14.04:LTS
tomcat7
Package
- Name
- tomcat7
- Purl
- pkg:deb/ubuntu/tomcat7@7.0.52-1ubuntu0.16+esm1?arch=source&distro=trusty/esm
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.0.52-1ubuntu0.16+esm1
Affected versions
7.*
7.0.42-1
7.0.47-1
7.0.50-1
7.0.52-1
7.0.52-1ubuntu0.1
7.0.52-1ubuntu0.3
7.0.52-1ubuntu0.6
7.0.52-1ubuntu0.7
7.0.52-1ubuntu0.8
7.0.52-1ubuntu0.9
7.0.52-1ubuntu0.10
7.0.52-1ubuntu0.11
7.0.52-1ubuntu0.13
7.0.52-1ubuntu0.14
7.0.52-1ubuntu0.15
7.0.52-1ubuntu0.16
Ecosystem specific
{
"binaries": [
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "libservlet3.0-java"
},
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "libtomcat7-java"
},
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "tomcat7"
},
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "tomcat7-admin"
},
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "tomcat7-common"
},
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "tomcat7-docs"
},
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "tomcat7-examples"
},
{
"binary_version": "7.0.52-1ubuntu0.16+esm1",
"binary_name": "tomcat7-user"
}
],
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"
}Ubuntu:Pro:16.04:LTS
tomcat7
Package
- Name
- tomcat7
- Purl
- pkg:deb/ubuntu/tomcat7@7.0.68-1ubuntu0.4+esm2?arch=source&distro=esm-apps/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.0.68-1ubuntu0.4+esm2
Affected versions
7.*
7.0.64-1
7.0.68-1
7.0.68-1ubuntu0.1
7.0.68-1ubuntu0.3
7.0.68-1ubuntu0.4
7.0.68-1ubuntu0.4+esm1
Ecosystem specific
{
"binaries": [
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "libservlet3.0-java"
},
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "libtomcat7-java"
},
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "tomcat7"
},
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "tomcat7-admin"
},
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "tomcat7-common"
},
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "tomcat7-docs"
},
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "tomcat7-examples"
},
{
"binary_version": "7.0.68-1ubuntu0.4+esm2",
"binary_name": "tomcat7-user"
}
],
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro"
}