VYPR
High severityNVD Advisory· Published Apr 15, 2019· Updated Aug 4, 2024

CVE-2019-0232

CVE-2019-0232

Description

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.0.M1, < 9.0.179.0.17
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.0.0, < 8.5.408.5.40
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 7.0.0, < 7.0.947.0.94

Affected products

2

Patches

Vulnerability mechanics

References

55

News mentions

0

No linked articles in our index yet.