CVE-2019-0232
Summary
| CVE | CVE-2019-0232 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-04-15 15:29:00 UTC |
| Updated | 2023-12-08 16:41:00 UTC |
| Description | When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). |
Risk And Classification
Problem Types: CWE-78
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Tomcat | 9.0.0 | m1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | milestone9 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m1 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m10 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m11 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m12 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m13 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m14 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m15 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m16 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m17 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m18 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m19 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m2 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m20 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m21 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m22 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m23 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m24 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m25 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m26 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m3 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m4 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m5 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m6 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m7 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m8 | All | All |
| Application | Apache | Tomcat | 9.0.0 | m9 | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Vendor Advisory |
| April 2019 Apache Tomcat Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| code white | Blog: Java and Command Line Injections in Windows | MISC | codewhitesec.blogspot.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Everyone quotes command line arguments the wrong way – Twisty Little Passages, All Alike | MISC | web.archive.org | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Broadcom Inc. | Connecting Everything | CONFIRM | www.broadcom.com | Technical Description |
| Pony Mail! | MLIST | lists.apache.org | |
| Remote Code Execution (RCE) in CGI Servlet – Apache Tomcat on Windows – CVE-2019-0232 | Nightwatch Cybersecurity | MISC | wwws.nightwatchcybersecurity.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update - July 2019 | MISC | www.oracle.com | |
| Synology Inc. | CONFIRM | www.synology.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Mitigation, Vendor Advisory |
| Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Red Hat Customer Portal | REDHAT | access.redhat.com | |
| Oracle Critical Patch Update - October 2019 | MISC | www.oracle.com | |
| Oracle Critical Patch Update Advisory - January 2020 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat - TrendLabs Security Intelligence Blog | MISC | blog.trendmicro.com | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Oracle Critical Patch Update Advisory - April 2020 | N/A | www.oracle.com | |
| Full Disclosure: RCE in CGI Servlet – Apache Tomcat on Windows – CVE-2019-0232 | FULLDISC | seclists.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Apache Tomcat CVE-2019-0232 Remote Code Execution Vulnerability | BID | www.securityfocus.com | Third Party Advisory, VDB Entry |
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 20287 Oracle Database 19c OJVM Critical Patch Update - January 2020
- 20300 Oracle Database 18c Critical OJVM Patch Update - January 2020
- 20305 Oracle Database 12.2.0.1 Critical OJVM Patch Update - January 2020
- 982261 Java (maven) Security Update for org.apache.tomcat.embed:tomcat-embed-core (GHSA-8vmx-qmch-mpqg)