Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Remediation

References

http://seclists.org/fulldisclosure/2019/May/50

https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html

http://www.securityfocus.com/bid/108545

https://security.netapp.com/advisory/ntap-20190606-0001/

https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html

https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html

https://usn.ubuntu.com/4128-1/

https://usn.ubuntu.com/4128-2/

https://access.redhat.com/errata/RHSA-2019:3931

https://access.redhat.com/errata/RHSA-2019:3929

https://www.debian.org/security/2019/dsa-4596

https://seclists.org/bugtraq/2019/Dec/43

https://www.oracle.com/security-alerts/cpujan2020.html

https://security.gentoo.org/glsa/202003-43

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpuApr2021.html

http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/

https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E

https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS

Related Vulnerabilities

CVE-2022-43405 Vulnerability in maven package io.jenkins.plugins:pipeline-groovy-lib

CVE-2022-31160 Vulnerability in maven package org.webjars.npm:jquery-ui

CVE-2018-1229 Vulnerability in maven package org.springframework.batch:spring-batch-admin

CVE-2020-8149 Vulnerability in npm package logkitty

CVE-2019-0219 Vulnerability in npm package cordova-plugin-inappbrowser

Severity

High

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Tags

Third Party Advisory