The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2019/May/50
www.securityfocus.com/bid/108545
access.redhat.com/errata/RHSA-2019:3929
access.redhat.com/errata/RHSA-2019:3931
lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E
lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
lists.debian.org/debian-lts-announce/2019/05/msg00044.html
lists.debian.org/debian-lts-announce/2019/08/msg00015.html
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/
seclists.org/bugtraq/2019/Dec/43
security.gentoo.org/glsa/202003-43
security.netapp.com/advisory/ntap-20190606-0001/
support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS
usn.ubuntu.com/4128-1/
usn.ubuntu.com/4128-2/
www.debian.org/security/2019/dsa-4596
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpujan2020.html
wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/