Home

CVE-2019-0221

Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Risk Information

Base Score
6.1
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
43.363

Associated Vulnerability

VulnerabilityOS Platform
Update Apache Tomcat to version 9.0.19Windows
Update Apache Tomcat to version 8.5.40Windows
Update Apache Tomcat to version 7.0.94Windows
Vulnerabilities CVE-2019-0221,CVE-2019-0232 are fixed in Apache - tomcat-embed-core 9.0.17Windows
Vulnerabilities CVE-2019-0221,CVE-2019-0232 are fixed in Apache - tomcat-embed-core 8.5.40Windows
Vulnerabilities CVE-2019-0221,CVE-2019-0232 are fixed in Apache - tomcat-embed-core 7.0.94Windows
Servlet and JSP engine (USN-4128-1) tomcat8_8.0.32-1ubuntu1.10_all.debLinux
Servlet and JSP engine (USN-4128-1) tomcat8_8.5.39-1ubuntu1~18.04.3_all.debLinux
Servlet and JSP engine (USN-4128-1) libtomcat8-java_8.0.32-1ubuntu1.10_all.debLinux
Servlet and JSP engine (USN-4128-1) libtomcat8-java_8.5.39-1ubuntu1~18.04.3_all.debLinux
tomcat8 security update(DSA-4596-1) tomcat8_8.5.50-0+deb9u1_all.debLinux
Update Apache Tomcat to version 9.0.19 (For Linux)Linux
Update Apache Tomcat to version 8.5.40 (For Linux)Linux
Update Apache Tomcat to version 7.0.94 (For Linux)Linux
Vulnerabilities CVE-2019-0221,CVE-2019-0232 are fixed in Apache - tomcat-embed-core for Linux 9.0.17Linux
Vulnerabilities CVE-2019-0221,CVE-2019-0232 are fixed in Apache - tomcat-embed-core for Linux 8.5.40Linux
Vulnerabilities CVE-2019-0221,CVE-2019-0232 are fixed in Apache - tomcat-embed-core for Linux 7.0.94Linux
Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability (CVE-2019-0221)NCM

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234