{ "schema_version": "1.4.0", "id": "GHSA-jjpq-gp5q-8q6w", "modified": "2024-03-11T14:33:57Z", "published": "2019-05-30T03:30:42Z", "aliases": [ "CVE-2019-0221" ], "summary": "Cross-site scripting in Apache Tomcat", "details": "The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "affected": [ { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "9.0.0" }, { "fixed": "9.0.17" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "8.0.0" }, { "fixed": "8.5.40" } ] } ] }, { "package": { "ecosystem": "Maven", "name": "org.apache.tomcat.embed:tomcat-embed-core" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "7.0.0" }, { "fixed": "7.0.94" } ] } ] } ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0221" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e" }, { "type": "WEB", "url": "https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46" }, { "type": "WEB", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "type": "WEB", "url": "https://security.gentoo.org/glsa/202003-43" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20190606-0001" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS" }, { "type": "WEB", "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-7.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-8.html" }, { "type": "WEB", "url": "https://tomcat.apache.org/security-9.html" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4128-1" }, { "type": "WEB", "url": "https://usn.ubuntu.com/4128-2" }, { "type": "WEB", "url": "https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545" }, { "type": "WEB", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "type": "WEB", "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3929" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2019:3931" }, { "type": "PACKAGE", "url": "https://github.com/apache/tomcat" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html" }, { "type": "WEB", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html" }, { "type": "WEB", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html" }, { "type": "WEB", "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html" }, { "type": "WEB", "url": "http://seclists.org/fulldisclosure/2019/May/50" } ], "database_specific": { "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2019-05-30T03:30:07Z", "nvd_published_at": "2019-05-28T22:29:00Z" } }