Moderate severityNVD Advisory· Published May 28, 2019· Updated Aug 4, 2024
CVE-2019-0221
CVE-2019-0221
Description
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0, < 9.0.17 | 9.0.17 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.40 | 8.5.40 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 7.0.0, < 7.0.94 | 7.0.94 |
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0, < 9.0.17 | 9.0.17 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, < 8.5.40 | 8.5.40 |
org.apache.tomcat:tomcat-catalinaMaven | >= 7.0.0, < 7.0.94 | 7.0.94 |
org.apache.tomcat:tomcatMaven | >= 9.0.0, < 9.0.17 | 9.0.17 |
org.apache.tomcat:tomcatMaven | >= 8.5.0, < 8.5.40 | 8.5.40 |
org.apache.tomcat:tomcatMaven | >= 7.0.0, < 7.0.94 | 7.0.94 |
Affected products
25- ghsa-coords24 versionspkg:maven/org.apache.tomcat.embed/tomcat-embed-corepkg:rpm/opensuse/tomcat10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.0pkg:rpm/opensuse/tomcat&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/tomcat&distro=openSUSE%20Tumbleweedpkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/tomcat6&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/tomcat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/tomcat&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/tomcat&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
>= 9.0.0, < 9.0.17+ 23 more
- (no CPE)range: >= 9.0.0, < 9.0.17
- (no CPE)range: < 10.1.14-1.1
- (no CPE)range: < 9.0.20-lp150.2.19.1
- (no CPE)range: < 9.0.21-lp151.3.3.1
- (no CPE)range: < 9.0.36-8.4
- (no CPE)range: < 6.0.53-0.57.16.1
- (no CPE)range: < 6.0.53-0.57.16.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.20-3.24.2
- (no CPE)range: < 9.0.21-4.5.5
- (no CPE)range: < 8.0.53-10.43.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.21-3.13.2
- (no CPE)range: < 8.0.53-10.43.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 9.0.21-3.13.2
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- (no CPE)range: < 8.0.53-29.27.1
- Apache/Apache Tomcatv5Range: Apache Tomcat 9.0.0.M1 to 9.0.0.17
Patches
Vulnerability mechanics
References
54- lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.htmlghsavendor-advisoryx_refsource_SUSEWEB
- access.redhat.com/errata/RHSA-2019:3929ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3931ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jjpq-gp5q-8q6wghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-0221ghsaADVISORY
- security.gentoo.org/glsa/202003-43ghsavendor-advisoryx_refsource_GENTOOWEB
- usn.ubuntu.com/4128-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4128-2/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2019/dsa-4596ghsavendor-advisoryx_refsource_DEBIANWEB
- packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2019/May/50ghsamailing-listx_refsource_FULLDISCWEB
- www.securityfocus.com/bid/108545mitrevdb-entryx_refsource_BID
- github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceeaghsaWEB
- github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7eghsaWEB
- github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32daghsaWEB
- lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3Eghsax_refsource_CONFIRMWEB
- lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3Eghsamailing-listx_refsource_MLISTWEB
- lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.debian.org/debian-lts-announce/2019/05/msg00044.htmlghsamailing-listx_refsource_MLISTWEB
- lists.debian.org/debian-lts-announce/2019/08/msg00015.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46ghsaWEB
- seclists.org/bugtraq/2019/Dec/43ghsamailing-listx_refsource_BUGTRAQWEB
- security.netapp.com/advisory/ntap-20190606-0001ghsaWEB
- security.netapp.com/advisory/ntap-20190606-0001/mitrex_refsource_CONFIRM
- support.f5.com/csp/article/K13184144ghsax_refsource_CONFIRMWEB
- support.f5.com/csp/article/K13184144ghsaWEB
- tomcat.apache.org/security-7.htmlghsaWEB
- tomcat.apache.org/security-8.htmlghsaWEB
- tomcat.apache.org/security-9.htmlghsaWEB
- usn.ubuntu.com/4128-1ghsaWEB
- usn.ubuntu.com/4128-2ghsaWEB
- web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545ghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2020.htmlghsax_refsource_MISCWEB
- wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221ghsaWEB
- wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.