Description
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Apache | Apache Tomcat | affected |
|
Configuration 1 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat JBoss Web Server 3.1 | |||
| tomcat | cpe:/a:redhat:jboss_enterprise_web_server:3.1 | RHSA-2020:0860 | 2020-03-17T00:00:00Z |
| Red Hat JBoss Web Server 3 for RHEL 6 | |||
| tomcat7-0:7.0.70-38.ep7.el6 | cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6 | RHSA-2020:0861 | 2020-03-17T00:00:00Z |
| tomcat8-0:8.0.36-42.ep7.el6 | cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6 | RHSA-2020:0861 | 2020-03-17T00:00:00Z |
| tomcat-native-0:1.2.23-21.redhat_21.ep7.el6 | cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6 | RHSA-2020:0861 | 2020-03-17T00:00:00Z |
| Red Hat JBoss Web Server 3 for RHEL 7 | |||
| tomcat7-0:7.0.70-38.ep7.el7 | cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7 | RHSA-2020:0861 | 2020-03-17T00:00:00Z |
| tomcat8-0:8.0.36-42.ep7.el7 | cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7 | RHSA-2020:0861 | 2020-03-17T00:00:00Z |
| tomcat-native-0:1.2.23-21.redhat_21.ep7.el7 | cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7 | RHSA-2020:0861 | 2020-03-17T00:00:00Z |
| Red Hat JBoss Web Server 5 | |||
| tomcat | cpe:/a:redhat:jboss_enterprise_web_server:5.2 | RHSA-2019:3931 | 2019-11-20T00:00:00Z |
| Red Hat JBoss Web Server 5.2 on RHEL 6 | |||
| jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| Red Hat JBoss Web Server 5.2 on RHEL 7 | |||
| jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| Red Hat JBoss Web Server 5.2 on RHEL 8 | |||
| jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
| jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws | cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8 | RHSA-2019:3929 | 2019-11-20T00:00:00Z |
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Debian DLA |
DLA-1810-1 | tomcat7 security update |
| Debian DLA |
DLA-1883-1 | tomcat8 security update |
 Debian DSA |
DSA-4596-1 | tomcat8 security update |
 Github GHSA |
GHSA-jjpq-gp5q-8q6w | Cross-site scripting in Apache Tomcat |
 Ubuntu USN |
USN-4128-1 | Tomcat vulnerabilities |
| Ubuntu USN |
USN-4128-2 | Tomcat vulnerabilities |
| Ubuntu USN |
USN-6908-1 | Tomcat vulnerabilities |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: apache
Published:
Updated: 2024-08-04T17:44:15.953Z
Reserved: 2018-11-14T00:00:00.000Z
Link: CVE-2019-0221
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-05-28T22:29:00.563
Modified: 2024-11-21T04:16:31.373
Link: CVE-2019-0221
Redhat
OpenCVE Enrichment
No data.
Weaknesses