QwikSec

Security Database

CVE

CWE

Training

CVE-2019-0221

Published: May 28, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Vendor	Product	Versions
Apache	Apache Tomcat	affected `Apache Tomcat 9.0.0.M1 to 9.0.0.17` affected `8.5.0 to 8.5.39` affected `7.0.0 to 7.0.93`

References

20190529 XSS in SSI printenv command - Apache Tomcat - CVE-2019-0221

mailing-list

x_refsource_FULLDISC

[debian-lts-announce] 20190530 [SECURITY] [DLA 1810-1] tomcat7 security update

mailing-list

x_refsource_MLIST

vdb-entry

x_refsource_BID

FEDORA-2019-1a3f878d27

vendor-advisory

x_refsource_FEDORA

openSUSE-SU-2019:1673

vendor-advisory

x_refsource_SUSE

FEDORA-2019-d66febb5df

vendor-advisory

x_refsource_FEDORA

openSUSE-SU-2019:1808

vendor-advisory

x_refsource_SUSE

[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_UBUNTU

vendor-advisory

x_refsource_UBUNTU

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_REDHAT

vendor-advisory

x_refsource_DEBIAN

20191229 [SECURITY] [DSA 4596-1] tomcat8 security update

mailing-list

x_refsource_BUGTRAQ

[announce] 20200131 Apache Software Foundation Security Report: 2019

mailing-list

x_refsource_MLIST

[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/

mailing-list

x_refsource_MLIST

[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/

mailing-list

x_refsource_MLIST

[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/

mailing-list

x_refsource_MLIST

[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/

mailing-list

x_refsource_MLIST

[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_GENTOO

https://www.oracle.com/security-alerts/cpuapr2020.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpujan2020.html

x_refsource_MISC

https://www.oracle.com/security-alerts/cpuApr2021.html

x_refsource_MISC

https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E

x_refsource_CONFIRM

https://security.netapp.com/advisory/ntap-20190606-0001/

x_refsource_CONFIRM

https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/

x_refsource_MISC

https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS

x_refsource_CONFIRM

http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.