Veracode Vulnerability DatabaseVERACODE:20300Cross-site Scripting (XSS)
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
tomcat-catalina is vulnerable to cross-site scripting (XSS). The vulnerability is possible because it outputs unsanitized user provided data for SSI printenv, allowing the attacker to inject arbitrary script through it.
References
lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%[email protected]%3E
packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
seclists.org/fulldisclosure/2019/May/50
tomcat.apache.org/security-7.html#CVE-2019-0221
tomcat.apache.org/security-8.html#CVE-2019-0221
tomcat.apache.org/security-9.html#CVE-2019-0221
www.securityfocus.com/bid/108545
access.redhat.com/errata/RHSA-2019:3929
access.redhat.com/errata/RHSA-2019:3931
lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E
lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
lists.debian.org/debian-lts-announce/2019/05/msg00044.html
lists.debian.org/debian-lts-announce/2019/08/msg00015.html
lists.fedoraproject.org/archives/list/[email protected]/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/
lists.fedoraproject.org/archives/list/[email protected]/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/
seclists.org/bugtraq/2019/Dec/43
security.gentoo.org/glsa/202003-43
security.netapp.com/advisory/ntap-20190606-0001/
support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS
usn.ubuntu.com/4128-1/
usn.ubuntu.com/4128-2/
www.debian.org/security/2019/dsa-4596
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/security-alerts/cpuApr2021.html
www.oracle.com/security-alerts/cpujan2020.html
wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N