CVE-2019-0221
Published: 28 May 2019
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Notes
Author | Note |
---|---|
mdeslaur | from upstream advisory: "The printenv command is intended for" "debugging and is unlikely to be present in a production" "website." |
Priority
Status
Package | Release | Status |
---|---|---|
tomcat7 Launchpad, Ubuntu, Debian |
bionic |
Released
(7.0.78-1ubuntu0.1~esm1)
Available with Ubuntu Pro |
cosmic |
Ignored
(end of life)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Released
(7.0.52-1ubuntu0.16+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
upstream |
Needs triage
|
|
xenial |
Released
(7.0.68-1ubuntu0.4+esm2)
Available with Ubuntu Pro |
|
Patches: upstream: https://github.com/apache/tomcat/commit/44ec74c |
||
tomcat8 Launchpad, Ubuntu, Debian |
bionic |
Released
(8.5.39-1ubuntu1~18.04.3)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(8.0.32-1ubuntu1.10)
|
|
Patches: upstream: https://github.com/apache/tomcat/commit/4fcdf70 |
||
tomcat9 Launchpad, Ubuntu, Debian |
bionic |
Released
(9.0.16-3ubuntu0.18.04.1)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Released
(9.0.16-3ubuntu0.19.04.1)
|
|
eoan |
Not vulnerable
(9.0.16-4)
|
|
focal |
Not vulnerable
(9.0.16-4)
|
|
groovy |
Not vulnerable
(9.0.16-4)
|
|
hirsute |
Not vulnerable
(9.0.16-4)
|
|
impish |
Not vulnerable
(9.0.16-4)
|
|
jammy |
Not vulnerable
(9.0.16-4)
|
|
kinetic |
Not vulnerable
(9.0.16-4)
|
|
lunar |
Not vulnerable
(9.0.16-4)
|
|
mantic |
Not vulnerable
(9.0.16-4)
|
|
noble |
Not vulnerable
(9.0.16-4)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/apache/tomcat/commit/15fcd16 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.1 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Changed |
Confidentiality | Low |
Integrity impact | Low |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References
- https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3Cb1905aa6-f340-8d0b-58c4-8ac3ebcbfa54@apache.org%3E
- https://ubuntu.com/security/notices/USN-4128-1
- https://ubuntu.com/security/notices/USN-4128-2
- https://www.cve.org/CVERecord?id=CVE-2019-0221
- https://ubuntu.com/security/notices/USN-6908-1
- NVD
- Launchpad
- Debian