It was discovered that the Tomcat 9 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. (CVE-2019-0221)
It was discovered that Tomcat 9 did not address HTTP/2 connection window exhaustion on write while addressing CVE-2019-0199. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-10072)
{ "availability": "No subscription required", "binaries": [ { "tomcat9": "9.0.16-3ubuntu0.18.04.1", "tomcat9-user": "9.0.16-3ubuntu0.18.04.1", "libtomcat9-embed-java": "9.0.16-3ubuntu0.18.04.1", "tomcat9-docs": "9.0.16-3ubuntu0.18.04.1", "libtomcat9-java": "9.0.16-3ubuntu0.18.04.1", "tomcat9-examples": "9.0.16-3ubuntu0.18.04.1", "tomcat9-common": "9.0.16-3ubuntu0.18.04.1", "tomcat9-admin": "9.0.16-3ubuntu0.18.04.1" } ] }