Home > Vulnerability Database > CVE-2019-0221

Mend.io Vulnerability Database

CVE-2019-0221

Good to know:

Date: May 28, 2019

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Language: Java

Severity Score

6.1

Related Resources (57)

Url: https://www.oracle.com/security-alerts/cpuapr2020.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3

Url: http://www.securityfocus.com/bid/108545

Url: https://security.netapp.com/advisory/ntap-20190606-0001/

Url: https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da

Url: http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html

Url: https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS

Url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E

Url: https://github.com/apache/tomcat

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/

Url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

Url: https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46

Url: http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-0221

Url: http://seclists.org/fulldisclosure/2019/May/50

Url: https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html

Url: https://usn.ubuntu.com/4128-1/

Url: https://security.netapp.com/advisory/ntap-20190606-0001

Url: https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/

Url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E

Url: https://usn.ubuntu.com/4128-2/

Url: https://access.redhat.com/security/cve/CVE-2019-0221

Url: https://www.debian.org/security/2019/dsa-4596

Url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Url: https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpujan2020.html

Url: https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221

Url: https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:3931

Url: https://www.oracle.com/security-alerts/cpuApr2021.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46

Url: https://tomcat.apache.org/security-8.html

Url: https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545

Url: https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e

Url: https://seclists.org/bugtraq/2019/Dec/43

Url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

Url: https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS

Url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3

Url: https://tomcat.apache.org/security-7.html

Url: https://access.redhat.com/errata/RHSA-2019:3929

Url: https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: https://usn.ubuntu.com/4128-1

Url: https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/

Url: http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html

Url: https://tomcat.apache.org/security-9.html

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

Url: https://security-tracker.debian.org/tracker/CVE-2019-0221

Url: https://usn.ubuntu.com/4128-2

Url: https://security.gentoo.org/glsa/202003-43

Url: https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E

Url: https://www.mend.io/vulnerability-database/CVE-2019-0221

Severity Score

6.1

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat.embed:tomcat-embed-core:9.0.17;org.apache.tomcat.embed:tomcat-embed-core:8.5.40;org.apache.tomcat.embed:tomcat-embed-core:7.0.94

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	PARTIAL
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-0221

Good to know:

Date: May 28, 2019

Language: Java

Severity Score

Related Resources (57)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?