Description
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Remediation
References
http://seclists.org/fulldisclosure/2019/May/50
https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html
http://www.securityfocus.com/bid/108545
https://security.netapp.com/advisory/ntap-20190606-0001/
https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
https://usn.ubuntu.com/4128-1/
https://usn.ubuntu.com/4128-2/
https://access.redhat.com/errata/RHSA-2019:3931
https://access.redhat.com/errata/RHSA-2019:3929
https://www.debian.org/security/2019/dsa-4596
https://seclists.org/bugtraq/2019/Dec/43
https://www.oracle.com/security-alerts/cpujan2020.html
https://security.gentoo.org/glsa/202003-43
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpuApr2021.html
http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E
https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS
Related Vulnerabilities
CVE-2020-8897 Vulnerability in maven package com.amazonaws:aws-encryption-sdk-java
CVE-2018-9207 Vulnerability in maven package org.webjars.bower:jquery-file-upload
CVE-2019-9843 Vulnerability in maven package com.diffplug.spotless:spotless-plugin-gradle
CVE-2020-2276 Vulnerability in maven package org.jenkins-ci.plugins:selection-tasks-plugin