CVE-2019-0221

Published: 28 May 2019

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Priority

CVSS 3 base score: 6.1

Status

Package	Release	Status
tomcat7 Launchpad, Ubuntu, Debian	bionic	Needed
	cosmic	Ignored (reached end-of-life)
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	precise	Does not exist
	trusty	Needed
	upstream	Needs triage
	xenial	Ignored (end of standard support, was needed)
tomcat8 Launchpad, Ubuntu, Debian	bionic	Released (8.5.39-1ubuntu1~18.04.3)
	cosmic	Ignored (reached end-of-life)
	disco	Does not exist
	eoan	Does not exist
	focal	Does not exist
	groovy	Does not exist
	hirsute	Does not exist
	impish	Does not exist
	jammy	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Released (8.0.32-1ubuntu1.10)
tomcat9 Launchpad, Ubuntu, Debian	bionic	Released (9.0.16-3ubuntu0.18.04.1)
	cosmic	Ignored (reached end-of-life)
	disco	Released (9.0.16-3ubuntu0.19.04.1)
	eoan	Not vulnerable (9.0.16-4)
	focal	Not vulnerable (9.0.16-4)
	groovy	Not vulnerable (9.0.16-4)
	hirsute	Not vulnerable (9.0.16-4)
	impish	Not vulnerable (9.0.16-4)
	jammy	Not vulnerable (9.0.16-4)
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist

Notes

Author	Note
mdeslaur	from upstream advisory: "The printenv command is intended for" "debugging and is unlikely to be present in a production" "website."

CVE-2019-0221

Low

Status

Notes

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading