Lucene search

K
cveApacheCVE-2019-0221
HistoryMay 28, 2019 - 10:29 p.m.

CVE-2019-0221

2019-05-2822:29:00
CWE-79
apache
web.nvd.nist.gov
550
3
cve-2019-0221
apache tomcat
xss vulnerability
ssi printenv command
nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

0.011

Percentile

84.5%

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Affected configurations

Nvd
Vulners
Node
apachetomcatRange7.0.07.0.93
OR
apachetomcatRange8.5.08.5.39
OR
apachetomcatRange9.0.19.0.17
OR
apachetomcatMatch9.0.0milestone1
OR
apachetomcatMatch9.0.0milestone10
OR
apachetomcatMatch9.0.0milestone11
OR
apachetomcatMatch9.0.0milestone12
OR
apachetomcatMatch9.0.0milestone13
OR
apachetomcatMatch9.0.0milestone14
OR
apachetomcatMatch9.0.0milestone15
OR
apachetomcatMatch9.0.0milestone16
OR
apachetomcatMatch9.0.0milestone17
OR
apachetomcatMatch9.0.0milestone18
OR
apachetomcatMatch9.0.0milestone19
OR
apachetomcatMatch9.0.0milestone2
OR
apachetomcatMatch9.0.0milestone20
OR
apachetomcatMatch9.0.0milestone21
OR
apachetomcatMatch9.0.0milestone22
OR
apachetomcatMatch9.0.0milestone23
OR
apachetomcatMatch9.0.0milestone24
OR
apachetomcatMatch9.0.0milestone25
OR
apachetomcatMatch9.0.0milestone26
OR
apachetomcatMatch9.0.0milestone27
OR
apachetomcatMatch9.0.0milestone3
OR
apachetomcatMatch9.0.0milestone4
OR
apachetomcatMatch9.0.0milestone5
OR
apachetomcatMatch9.0.0milestone6
OR
apachetomcatMatch9.0.0milestone7
OR
apachetomcatMatch9.0.0milestone8
OR
apachetomcatMatch9.0.0milestone9
VendorProductVersionCPE
apachetomcat*cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
apachetomcat9.0.0cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
Rows per page:
1-10 of 281

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache",
    "versions": [
      {
        "status": "affected",
        "version": "Apache Tomcat 9.0.0.M1 to 9.0.0.17"
      },
      {
        "status": "affected",
        "version": "8.5.0 to 8.5.39"
      },
      {
        "status": "affected",
        "version": "7.0.0 to 7.0.93"
      }
    ]
  }
]

References

Social References

More

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

6.8

Confidence

High

EPSS

0.011

Percentile

84.5%