MEDIUM 6.1
GHSA-jjpq-gp5q-8q6w
Cross-site scripting in Apache Tomcat
Details
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.apache.tomcat.embed:tomcat-embed-core
Introduced in:
9.0.0 Fixed in: 9.0.17 Fix
# pom.xml: bump <version>9.0.17</version> for org.apache.tomcat.embed:tomcat-embed-core Maven / org.apache.tomcat.embed:tomcat-embed-core
Introduced in:
8.5.0 Fixed in: 8.5.40 Fix
# pom.xml: bump <version>8.5.40</version> for org.apache.tomcat.embed:tomcat-embed-core Maven / org.apache.tomcat.embed:tomcat-embed-core
Introduced in:
7.0.0 Fixed in: 7.0.94 Fix
# pom.xml: bump <version>7.0.94</version> for org.apache.tomcat.embed:tomcat-embed-core Maven / org.apache.tomcat:tomcat-catalina
Introduced in:
9.0.0 Fixed in: 9.0.17 Fix
# pom.xml: bump <version>9.0.17</version> for org.apache.tomcat:tomcat-catalina Maven / org.apache.tomcat:tomcat-catalina
Introduced in:
8.5.0 Fixed in: 8.5.40 Fix
# pom.xml: bump <version>8.5.40</version> for org.apache.tomcat:tomcat-catalina Maven / org.apache.tomcat:tomcat-catalina
Introduced in:
7.0.0 Fixed in: 7.0.94 Fix
# pom.xml: bump <version>7.0.94</version> for org.apache.tomcat:tomcat-catalina Maven / org.apache.tomcat:tomcat
Introduced in:
9.0.0 Fixed in: 9.0.17 Fix
# pom.xml: bump <version>9.0.17</version> for org.apache.tomcat:tomcat Maven / org.apache.tomcat:tomcat
Introduced in:
8.5.0 Fixed in: 8.5.40 Fix
# pom.xml: bump <version>8.5.40</version> for org.apache.tomcat:tomcat Maven / org.apache.tomcat:tomcat
Introduced in:
7.0.0 Fixed in: 7.0.94 Fix
# pom.xml: bump <version>7.0.94</version> for org.apache.tomcat:tomcat References
- https://nvd.nist.gov/vuln/detail/CVE-2019-0221 [ADVISORY]
- https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea [WEB]
- https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e [WEB]
- https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3 [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46 [WEB]
- https://seclists.org/bugtraq/2019/Dec/43 [WEB]
- https://security.gentoo.org/glsa/202003-43 [WEB]
- https://security.netapp.com/advisory/ntap-20190606-0001 [WEB]
- https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS [WEB]
- https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS [WEB]
- https://tomcat.apache.org/security-7.html [WEB]
- https://tomcat.apache.org/security-8.html [WEB]
- https://tomcat.apache.org/security-9.html [WEB]
- https://usn.ubuntu.com/4128-1 [WEB]
- https://usn.ubuntu.com/4128-2 [WEB]
- https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545 [WEB]
- https://www.debian.org/security/2019/dsa-4596 [WEB]
- https://www.oracle.com/security-alerts/cpuApr2021.html [WEB]
- https://www.oracle.com/security-alerts/cpuapr2020.html [WEB]
- https://www.oracle.com/security-alerts/cpujan2020.html [WEB]
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221 [WEB]
- https://access.redhat.com/errata/RHSA-2019:3929 [WEB]
- https://access.redhat.com/errata/RHSA-2019:3931 [WEB]
- https://github.com/apache/tomcat [PACKAGE]
- https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E [WEB]
- https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html [WEB]
- https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3 [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html [WEB]
- http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html [WEB]
- http://seclists.org/fulldisclosure/2019/May/50 [WEB]