Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Remediation

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html

http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html

http://seclists.org/fulldisclosure/2019/May/50

http://www.securityfocus.com/bid/108545

https://access.redhat.com/errata/RHSA-2019:3929

https://access.redhat.com/errata/RHSA-2019:3931

https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html

https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/

https://seclists.org/bugtraq/2019/Dec/43

https://security.gentoo.org/glsa/202003-43

https://security.netapp.com/advisory/ntap-20190606-0001/

https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS

https://usn.ubuntu.com/4128-1/

https://usn.ubuntu.com/4128-2/

https://www.debian.org/security/2019/dsa-4596

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/

Related Vulnerabilities

CVE-2020-13956 Vulnerability in maven package org.apache.httpcomponents.client5:httpclient5

CVE-2017-2598 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-16139 Vulnerability in npm package jikes

CVE-2021-23358 Vulnerability in maven package org.webjars.npm:underscore

CVE-2019-1003060 Vulnerability in maven package org.jenkins-ci.plugins:zap

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory