CVE-2019-0221
Summary
| CVE | CVE-2019-0221 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-05-28 22:29:00 UTC |
| Updated | 2023-12-08 16:41:00 UTC |
| Description | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | 9.0.0 | m1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m27 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m9 | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | |
| Bugtraq: [SECURITY] [DSA 4596-1] tomcat8 security update | BUGTRAQ | seclists.org | |
| support.f5.com/csp/article/K13184144 | CONFIRM | support.f5.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| [security-announce] openSUSE-SU-2019:1808-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| Apache Tomcat CVE-2019-0221 Cross Site Scripting Vulnerability | BID | www.securityfocus.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Full Disclosure: XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221 | FULLDISC | seclists.org | Third Party Advisory |
| Pony Mail! | CONFIRM | lists.apache.org | Mailing List, Vendor Advisory |
| Debian -- Security Information -- DSA-4596-1 tomcat8 | DEBIAN | www.debian.org | |
| [SECURITY] [DLA 1810-1] tomcat7 security update | MLIST | lists.debian.org | |
| myF5 | support.f5.com | ||
| Pony Mail! | MLIST | lists.apache.org | |
| USN-4128-2: Tomcat vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| Apache Tomcat 9.0.0.M1 Cross Site Scripting ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Pony Mail! | lists.apache.org | ||
| [security-announce] openSUSE-SU-2019:1673-1: moderate: Security update f | SUSE | lists.opensuse.org | |
| XSS in SSI printenv command – Apache Tomcat – CVE-2019-0221 | Nightwatch Cybersecurity | MISC | wwws.nightwatchcybersecurity.com | |
| Apache Tomcat: Multiple vulnerabilities (GLSA 202003-43) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] Fedora 29 Update: tomcat-9.0.21-1.fc29 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 30 Update: tomcat-9.0.21-1.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| USN-4128-1: Tomcat vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | |
| [SECURITY] Fedora 30 Update: tomcat-9.0.21-1.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] [DLA 1883-1] tomcat8 security update | MLIST | lists.debian.org | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2020 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - April 2020 | N/A | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| [SECURITY] Fedora 29 Update: tomcat-9.0.21-1.fc29 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| CVE-2019-0221 Apache Tomcat Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 20287 Oracle Database 19c OJVM Critical Patch Update - January 2020
- 20300 Oracle Database 18c Critical OJVM Patch Update - January 2020
- 20305 Oracle Database 12.2.0.1 Critical OJVM Patch Update - January 2020
- 296081 Oracle Solaris 11.4 Support Repository Update (SRU) 12.5.0 Missing (CPUJUL2019)
- 355773 Amazon Linux Security Advisory for tomcat : ALAS2-2023-2200
- 356307 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-014
- 982008 Java (maven) Security Update for org.apache.tomcat.embed:tomcat-embed-core (GHSA-jjpq-gp5q-8q6w)