Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Remediation

References

http://seclists.org/fulldisclosure/2019/May/50

https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html

http://www.securityfocus.com/bid/108545

https://security.netapp.com/advisory/ntap-20190606-0001/

https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html

https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

https://usn.ubuntu.com/4128-1/

https://usn.ubuntu.com/4128-2/

https://access.redhat.com/errata/RHSA-2019:3931

https://access.redhat.com/errata/RHSA-2019:3929

https://www.debian.org/security/2019/dsa-4596

https://seclists.org/bugtraq/2019/Dec/43

https://www.oracle.com/security-alerts/cpujan2020.html

https://security.gentoo.org/glsa/202003-43

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpuApr2021.html

http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E

https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS

Related Vulnerabilities

CVE-2021-21306 Vulnerability in npm package marked

CVE-2023-44483 Vulnerability in maven package org.apache.santuario:xmlsec

CVE-2021-21391 Vulnerability in npm package @ckeditor/ckeditor5-paste-from-office

CVE-2020-28487 Vulnerability in npm package vis-timeline

CVE-2020-28442 Vulnerability in maven package org.webjars.npm:js-data

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory