CVE-2019-0221
Published: 28 May 2019
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Priority
CVSS 3 base score: 6.1
Status
Package | Release | Status |
---|---|---|
tomcat7 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Needed
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support, was needed)
|
|
tomcat8 Launchpad, Ubuntu, Debian |
bionic |
Released
(8.5.39-1ubuntu1~18.04.3)
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Released
(8.0.32-1ubuntu1.10)
|
|
tomcat9 Launchpad, Ubuntu, Debian |
bionic |
Released
(9.0.16-3ubuntu0.18.04.1)
|
cosmic |
Ignored
(reached end-of-life)
|
|
disco |
Released
(9.0.16-3ubuntu0.19.04.1)
|
|
eoan |
Not vulnerable
(9.0.16-4)
|
|
focal |
Not vulnerable
(9.0.16-4)
|
|
groovy |
Not vulnerable
(9.0.16-4)
|
|
hirsute |
Not vulnerable
(9.0.16-4)
|
|
impish |
Not vulnerable
(9.0.16-4)
|
|
jammy |
Not vulnerable
(9.0.16-4)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
Notes
Author | Note |
---|---|
mdeslaur | from upstream advisory: "The printenv command is intended for" "debugging and is unlikely to be present in a production" "website." |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0221
- https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3Cb1905aa6-f340-8d0b-58c4-8ac3ebcbfa54@apache.org%3E
- https://ubuntu.com/security/notices/USN-4128-1
- https://ubuntu.com/security/notices/USN-4128-2
- NVD
- Launchpad
- Debian