Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Remediation

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html

http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html

http://seclists.org/fulldisclosure/2019/May/50

http://www.securityfocus.com/bid/108545

https://access.redhat.com/errata/RHSA-2019:3929

https://access.redhat.com/errata/RHSA-2019:3931

https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html

https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/

https://seclists.org/bugtraq/2019/Dec/43

https://security.gentoo.org/glsa/202003-43

https://security.netapp.com/advisory/ntap-20190606-0001/

https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS

https://usn.ubuntu.com/4128-1/

https://usn.ubuntu.com/4128-2/

https://www.debian.org/security/2019/dsa-4596

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/

Related Vulnerabilities

CVE-2020-2255 Vulnerability in maven package io.jenkins.blueocean:blueocean-parent

CVE-2022-23617 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore

CVE-2019-5484 Vulnerability in npm package bower

CVE-2022-24818 Vulnerability in maven package org.geotools:gt-metadata

CVE-2017-11554 Vulnerability in maven package org.webjars.npm:node-sass

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory