RHEL 7 : tomcat (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - tomcat: XSS in SSI printenv CVE-2019-0221 - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14,...

RHEL 8 : tomcat (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - tomcat: Session fixation when using FORM authentication CVE-2019-17563 - tomcat: JsonErrorReportValve...

RHEL 8 : tomcat (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - tomcat: Fix for CVE-2023-24998 was incomplete CVE-2023-28709 Note that Nessus has not tested for this issue but has...

Apache Tomcat 9.0.0.M1 < 9.0.19 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 9.0.19. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat9.0.19security-9 advisory. - When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1...

Medium: tomcat

Issue Overview: The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be...

CLSA-2022-1670606563 Fix CVE(s): CVE-2019-0221

SECURITY UPDATE: The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. - debian/patches/CVE-2019-0221.patch: Escape debug output to aid readability - CVE-2019-0221...

BSA-2020-1045

Security Advisory ID : BSA-2020-1045 Component : Apache Tomcat Revision : 1.0: Final The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The...

RHEL 6 / 7 : Red Hat JBoss Web Server 3.1 Service Pack 8 (RHSA-2020:0861)

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0861 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the...

Ubuntu 18.04 LTS : Tomcat vulnerabilities (USN-4128-2)

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4128-2 advisory. It was discovered that the Tomcat 9 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to...

USN-4128-2 tomcat9 vulnerabilities

It was discovered that the Tomcat 9 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. CVE-2019-0221 It was discovered that Tomcat 9 did not address HTTP/2 connection window exhaustion on write while addressing...

Debian DLA-1883-1 : tomcat8 security update (httpoxy)

Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTPPROXY environment variabl...

Debian: Security Advisory (DLA-1883-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DLA 1883-1] tomcat8 security update

Package : tomcat8 Version : 8.0.14-1+deb8u15 CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221 Debian Bug : 929895 898935 Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18...

Security update for tomcat (moderate)

openSUSE Security Update: Security update for tomcat Announcement ID: openSUSE-SU-2019:1808-1 Rating: moderate References: 1111966 1131055 1136085 Cross-References: CVE-2019-0199 CVE-2019-0221 Affected Products: openSUSE Leap 15.1 An update that solves two vulnerabilities and has one errata is no...

Security update for tomcat (moderate)

openSUSE Security Update: Security update for tomcat Announcement ID: openSUSE-SU-2019:1673-1 Rating: moderate References: 1111966 1131055 1136085 Cross-References: CVE-2019-0199 CVE-2019-0221 Affected Products: openSUSE Leap 15.0 An update that solves two vulnerabilities and has one errata is no...

Fedora 30 : 1:tomcat (2019-1a3f878d27)

This update includes a rebase from 9.0.13 up to 9.0.21 which resolves two CVEs along with various other bugs/features : - rhbz1673856 tomcat-9.0.21 is available - rhbz1713279 CVE-2019-0221 tomcat: XSS in SSI printenv - rhbz1693326 CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS Note that Tenable...

Debian DLA-1810-1 : tomcat7 security update

Nightwatch Cybersecurity Research team identified a XSS vulnerability in tomcat7. The SSI printenv command echoes user provided data without escaping. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. For Debian 8...

CVE-2019-0221

CVE-2019-0221 affects Apache Tomcat across multiple major lines (Tomcat 9.0.0.M1–9.0.0.17, 8.5.0–8.5.39, 7.0.0–7.0.93). The underlying issue is that the SSI printenv command echoes user-provided data without escaping, enabling cross-site scripting (XSS). SSI is disabled by default and intended fo...

Apache Tomcat 8.5.0 < 8.5.40 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 8.5.40. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat8.5.40security-8 advisory. - When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1...

Fixed in Apache Tomcat 9.0.19

Note: The issues below were fixed in Apache Tomcat 9.0.18 but the release vote for the 9.0.18 release candidate did not pass. Therefore, although users must download 9.0.19 to obtain a version that includes a fix for these issues, version 9.0.18 is not included in the list of affected versions...