{"containers": {"cna": {"affected": [{"product": "Apache Tomcat", "vendor": "Apache", "versions": [{"status": "affected", "version": "Apache Tomcat 9.0.0.M1 to 9.0.0.17"}, {"status": "affected", "version": "8.5.0 to 8.5.39"}, {"status": "affected", "version": "7.0.0 to 7.0.93"}]}], "datePublic": "2019-05-17T00:00:00", "descriptions": [{"lang": "en", "value": "The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website."}], "problemTypes": [{"descriptions": [{"description": "Cross-Site Scripting", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-07-13T16:06:28", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"name": "20190529 XSS in SSI printenv command - Apache Tomcat - CVE-2019-0221", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/May/50"}, {"name": "[debian-lts-announce] 20190530 [SECURITY] [DLA 1810-1] tomcat7 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html"}, {"name": "108545", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108545"}, {"name": "FEDORA-2019-1a3f878d27", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/"}, {"name": "openSUSE-SU-2019:1673", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html"}, {"name": "FEDORA-2019-d66febb5df", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/"}, {"name": "openSUSE-SU-2019:1808", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html"}, {"name": "[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html"}, {"name": "USN-4128-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4128-1/"}, {"name": "USN-4128-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4128-2/"}, {"name": "RHSA-2019:3929", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3929"}, {"name": "RHSA-2019:3931", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3931"}, {"name": "DSA-4596", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4596"}, {"name": "20191229 [SECURITY] [DSA 4596-1] tomcat8 security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Dec/43"}, {"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"}, {"name": "[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"}, {"name": "GLSA-202003-43", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-43"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190606-0001/"}, {"tags": ["x_refsource_MISC"], "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2019-0221", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Tomcat", "version": {"version_data": [{"version_value": "Apache Tomcat 9.0.0.M1 to 9.0.0.17"}, {"version_value": "8.5.0 to 8.5.39"}, {"version_value": "7.0.0 to 7.0.93"}]}}]}, "vendor_name": "Apache"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Cross-Site Scripting"}]}]}, "references": {"reference_data": [{"name": "20190529 XSS in SSI printenv command - Apache Tomcat - CVE-2019-0221", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/May/50"}, {"name": "[debian-lts-announce] 20190530 [SECURITY] [DLA 1810-1] tomcat7 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html"}, {"name": "108545", "refsource": "BID", "url": "http://www.securityfocus.com/bid/108545"}, {"name": "FEDORA-2019-1a3f878d27", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/"}, {"name": "openSUSE-SU-2019:1673", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html"}, {"name": "FEDORA-2019-d66febb5df", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/"}, {"name": "openSUSE-SU-2019:1808", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html"}, {"name": "[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html"}, {"name": "USN-4128-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4128-1/"}, {"name": "USN-4128-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4128-2/"}, {"name": "RHSA-2019:3929", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3929"}, {"name": "RHSA-2019:3931", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3931"}, {"name": "DSA-4596", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4596"}, {"name": "20191229 [SECURITY] [DSA 4596-1] tomcat8 security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Dec/43"}, {"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E"}, {"name": "[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E"}, {"name": "GLSA-202003-43", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-43"}, {"name": "https://www.oracle.com/security-alerts/cpuapr2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"name": "https://www.oracle.com/security-alerts/cpujan2020.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"name": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E", "refsource": "CONFIRM", "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E"}, {"name": "https://security.netapp.com/advisory/ntap-20190606-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190606-0001/"}, {"name": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/", "refsource": "MISC", "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/"}, {"name": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS"}, {"name": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:44:15.953Z"}, "title": "CVE Program Container", "references": [{"name": "20190529 XSS in SSI printenv command - Apache Tomcat - CVE-2019-0221", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/May/50"}, {"name": "[debian-lts-announce] 20190530 [SECURITY] [DLA 1810-1] tomcat7 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html"}, {"name": "108545", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108545"}, {"name": "FEDORA-2019-1a3f878d27", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/"}, {"name": "openSUSE-SU-2019:1673", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html"}, {"name": "FEDORA-2019-d66febb5df", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/"}, {"name": "openSUSE-SU-2019:1808", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html"}, {"name": "[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html"}, {"name": "USN-4128-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4128-1/"}, {"name": "USN-4128-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4128-2/"}, {"name": "RHSA-2019:3929", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3929"}, {"name": "RHSA-2019:3931", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3931"}, {"name": "DSA-4596", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4596"}, {"name": "20191229 [SECURITY] [DSA 4596-1] tomcat8 security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Dec/43"}, {"name": "[announce] 20200131 Apache Software Foundation Security Report: 2019", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"}, {"name": "[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"}, {"name": "[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"}, {"name": "GLSA-202003-43", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-43"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190606-0001/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-0221", "datePublished": "2019-05-28T21:01:28", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2024-08-04T17:44:15.953Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "91627C43-9E36-447C-AC2B-A63F1CDB29C7", "versionEndIncluding": "7.0.93", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "4064056C-7B06-49BA-A4D2-0C228060B116", "versionEndIncluding": "8.5.39", "versionStartIncluding": "8.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A70BBA8-1F21-4CD6-822A-17ECC4710065", "versionEndIncluding": "9.0.17", "versionStartIncluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "9D0689FE-4BC0-4F53-8C79-34B21F9B86C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*", "matchCriteriaId": "89B129B2-FB6F-4EF9-BF12-E589A87996CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "matchCriteriaId": "8B6787B6-54A8-475E-BA1C-AB99334B2535", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "matchCriteriaId": "EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "matchCriteriaId": "E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "matchCriteriaId": "8A6DA0BE-908C-4DA8-A191-A0113235E99A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "matchCriteriaId": "39029C72-28B4-46A4-BFF5-EC822CFB2A4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "matchCriteriaId": "1A2E05A3-014F-4C4D-81E5-88E725FBD6AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "matchCriteriaId": "166C533C-0833-41D5-99B6-17A4FAB3CAF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "matchCriteriaId": "D3768C60-21FA-4B92-B98C-C3A2602D1BC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "matchCriteriaId": "DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "9F542E12-6BA8-4504-A494-DA83E7E19BD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "matchCriteriaId": "C2409CC7-6A85-4A66-A457-0D62B9895DC1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "matchCriteriaId": "B392A7E5-4455-4B1C-8FAC-AE6DDC70689E", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "matchCriteriaId": "EF411DDA-2601-449A-9046-D250419A0E1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "matchCriteriaId": "D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "matchCriteriaId": "1B4FBF97-DE16-4E5E-BE19-471E01818D40", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "matchCriteriaId": "3B266B1E-24B5-47EE-A421-E0E3CC0C7471", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "matchCriteriaId": "29614C3A-6FB3-41C7-B56E-9CC3F45B04F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "matchCriteriaId": "C6AB156C-8FF6-4727-AF75-590D0DCB3F9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "C0C5F004-F7D8-45DB-B173-351C50B0EC16", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*", "matchCriteriaId": "D1902D2E-1896-4D3D-9E1C-3A675255072C", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*", "matchCriteriaId": "49AAF4DF-F61D-47A8-8788-A21E317A145D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*", "matchCriteriaId": "454211D0-60A2-4661-AECA-4C0121413FEB", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*", "matchCriteriaId": "0686F977-889F-4960-8E0B-7784B73A7F2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*", "matchCriteriaId": "558703AE-DB5E-4DFF-B497-C36694DD7B24", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*", "matchCriteriaId": "ED6273F2-1165-47A4-8DD7-9E9B2472941B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website."}, {"lang": "es", "value": "El comando printenv de SSI en Apache Tomcat versi\u00f3n 9.0.0.M1 hasta 9.0.0.17, versi\u00f3n 8.5.0 hasta 8.5.39 y versi\u00f3n 7.0.0 hasta 7.0.93, hace eco de los datos suministrados por el usuario sin escapar, y en consecuencia, es vulnerable a XSS. SSI est\u00e1 deshabilitado por defecto. El comando printenv est\u00e1 destinado a la depuraci\u00f3n y es poco probable que est\u00e9 presente en un sitio web de producci\u00f3n."}], "id": "CVE-2019-0221", "lastModified": "2024-11-21T04:16:31.373", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-05-28T22:29:00.563", "references": [{"source": "security@apache.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html"}, {"source": "security@apache.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html"}, {"source": "security@apache.org", "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/May/50"}, {"source": "security@apache.org", "url": "http://www.securityfocus.com/bid/108545"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2019:3929"}, {"source": "security@apache.org", "url": "https://access.redhat.com/errata/RHSA-2019:3931"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"}, {"source": "security@apache.org", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html"}, {"source": "security@apache.org", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/"}, {"source": "security@apache.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/"}, {"source": "security@apache.org", "url": "https://seclists.org/bugtraq/2019/Dec/43"}, {"source": "security@apache.org", "url": "https://security.gentoo.org/glsa/202003-43"}, {"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20190606-0001/"}, {"source": "security@apache.org", "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS"}, {"source": "security@apache.org", "url": "https://usn.ubuntu.com/4128-1/"}, {"source": "security@apache.org", "url": "https://usn.ubuntu.com/4128-2/"}, {"source": "security@apache.org", "url": "https://www.debian.org/security/2019/dsa-4596"}, {"source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"source": "security@apache.org", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "security@apache.org", "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/May/50"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/108545"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:3929"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://access.redhat.com/errata/RHSA-2019:3931"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://seclists.org/bugtraq/2019/Dec/43"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202003-43"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20190606-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/4128-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/4128-2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2019/dsa-4596"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:0860", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 3.1", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:0861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package": "tomcat7-0:7.0.70-38.ep7.el6", "product_name": "Red Hat JBoss Web Server 3 for RHEL 6", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:0861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package": "tomcat8-0:8.0.36-42.ep7.el6", "product_name": "Red Hat JBoss Web Server 3 for RHEL 6", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:0861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package": "tomcat-native-0:1.2.23-21.redhat_21.ep7.el6", "product_name": "Red Hat JBoss Web Server 3 for RHEL 6", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:0861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package": "tomcat7-0:7.0.70-38.ep7.el7", "product_name": "Red Hat JBoss Web Server 3 for RHEL 7", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:0861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package": "tomcat8-0:8.0.36-42.ep7.el7", "product_name": "Red Hat JBoss Web Server 3 for RHEL 7", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2020:0861", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package": "tomcat-native-0:1.2.23-21.redhat_21.ep7.el7", "product_name": "Red Hat JBoss Web Server 3 for RHEL 7", "release_date": "2020-03-17T00:00:00Z"}, {"advisory": "RHSA-2019:3931", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2", "package": "tomcat", "product_name": "Red Hat JBoss Web Server 5", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package": "jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package": "jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package": "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package": "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package": "jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package": "jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package": "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package": "jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package": "jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package": "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package": "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package": "jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package": "jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package": "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package": "jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package": "jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package": "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package": "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package": "jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package": "jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date": "2019-11-20T00:00:00Z"}, {"advisory": "RHSA-2019:3929", "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package": "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws", "product_name": "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date": "2019-11-20T00:00:00Z"}], "bugzilla": {"description": "tomcat: XSS in SSI printenv", "id": "1713275", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1713275"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-79", "details": ["The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website."], "mitigation": {"lang": "en:us", "value": "SSI is disabled in the default Tomcat configuration. The vulnerable printenv command is intended for debugging, and is recommended to not be enabled for a production website."}, "name": "CVE-2019-0221", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:6", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat BPM Suite 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "tomcat", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "pki-deps:10.6/pki-servlet-container", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:6", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat JBoss BRMS 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "tomcat", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "tomcat", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "jbossweb", "product_name": "Red Hat JBoss Operations Network 3"}], "public_date": "2019-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-0221\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-0221"], "threat_severity": "Low"}