We found results for “


Date: April 15, 2019


Tomcat, an open-source Java servlet container based on Apache, is susceptible to remote code execution when used in a custom configuration. If a parameter called enableCmdLineArguments is enabled in CGI servlet, a bug can be introduced to tamper with the command line arguments. This vulnerability exploits the method used to pass the command line arguments by JRE.


Apache Tomcat utilizes Common Gateway Interface (CGI) protocol to pass on the command line scripts by web servers. While CGI is advantageous in that it is platform-independent, it has no vetting mechanism for the code that is passed on. Since Windows can only accept one command line string per process, applications wrap their commands into one string. A subprocess then splits the string and passes them as arguments. In Java Runtime Environment (JRE), Windows does not validate the input arguments and is vulnerable to code injection. An attacker can bug the splitting process and let Windows parse the arguments in ways unintended by the application. For example, a metacharacter like ‘&’ can be used to split the commands, if it has a preceding quotation mark (“). In this case, the malicious code, that is injected after the ‘&’ character, is executed. In the string below, systeminfo is executed as a separate command following the escaped quotation mark(“) and the ‘&’ metacharacter. The intended separation should have occurred only at the ending quotation mark. foo.bat “pwd \”&systeminfo” 0: [foo.bat] 1: [pwd] 2: [systeminfo] The vulnerability can also cause a denial of service. Because Apache Tomcat waits for the Windows process to complete, a long-running command can be deployed to trigger the denial of service. In addition to running Apache Tomcat on Windows with enableCmdLineArguments enabled, a successful exploit needs the following: executed CGI scripts are only batch files and “executable” parameter is empty “privileged” is set to “true”

Affected Environments

Windows running any of the following versions of Tomcat: Tomcat 9 – versions 9.0.0.M1 through 9.0.17 Tomcat 8 – versions 8.5.0 to 8.5.39 Tomcat 7 – versions 7.0.0 to 7.0.93


Run the following patched versions of Tomcat on Windows: Apache Tomcat 9 – versions 9.0.18 or later Apache Tomcat 8 – versions 8.5.40 or later Apache Tomcat 7 – versions 7.0.93 or later


The affected versions can be safely used if: the default configuration is used CGI is disabled CGI is enabled, but “enableCmdLineArguments” parameter is set to “false“

Language: Java

Good to know:


Input Validation


OS Command Injections


Upgrade Version

Upgrade to version org.apache.tomcat.embed:tomcat-embed-core:7.0.94, 8.5.40, 9.0.18

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): None
Confidentiality (C): Complete
Integrity (I): Complete
Availability (A): Complete
Additional information: