Lucene search

GoogleOSV:GHSA-JJPQ-GP5Q-8Q6W

HistoryMay 30, 2019 - 3:30 a.m.

Cross-site scripting in Apache Tomcat

2019-05-3003:30:42

Google

osv.dev

0.011 Low

EPSS

Percentile

84.5%

JSON

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

CPENameOperatorVersion
org.apache.tomcat.embed:tomcat-embed-coreeq8.0.52
org.apache.tomcat.embed:tomcat-embed-coreeq9.0.4
org.apache.tomcat.embed:tomcat-embed-coreeq8.5.21
org.apache.tomcat.embed:tomcat-embed-coreeq8.5.35
org.apache.tomcat.embed:tomcat-embed-coreeq8.0.1
org.apache.tomcat.embed:tomcat-embed-coreeq7.0.23
org.apache.tomcat.embed:tomcat-embed-coreeq8.0.37
org.apache.tomcat.embed:tomcat-embed-coreeq8.5.29
org.apache.tomcat.embed:tomcat-embed-coreeq7.0.6
org.apache.tomcat.embed:tomcat-embed-coreeq7.0.69

Name	Operator	Version
org.apache.tomcat.embed:tomcat-embed-core	eq	8.0.52
org.apache.tomcat.embed:tomcat-embed-core	eq	9.0.4
org.apache.tomcat.embed:tomcat-embed-core	eq	8.5.21
org.apache.tomcat.embed:tomcat-embed-core	eq	8.5.35
org.apache.tomcat.embed:tomcat-embed-core	eq	8.0.1
org.apache.tomcat.embed:tomcat-embed-core	eq	7.0.23
org.apache.tomcat.embed:tomcat-embed-core	eq	8.0.37
org.apache.tomcat.embed:tomcat-embed-core	eq	8.5.29
org.apache.tomcat.embed:tomcat-embed-core	eq	7.0.6
org.apache.tomcat.embed:tomcat-embed-core	eq	7.0.69

Rows per page:

1-10 of 1501

References

lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html

lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html

packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2019/May/50

access.redhat.com/errata/RHSA-2019:3929

access.redhat.com/errata/RHSA-2019:3931

github.com/apache/tomcat

github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea

github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e

github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da

lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E

lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E

lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E

lists.debian.org/debian-lts-announce/2019/05/msg00044.html

lists.debian.org/debian-lts-announce/2019/08/msg00015.html

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46

lists.fedoraproject.org/archives/list/[email protected]/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3

lists.fedoraproject.org/archives/list/[email protected]/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46

nvd.nist.gov/vuln/detail/CVE-2019-0221

seclists.org/bugtraq/2019/Dec/43

security.gentoo.org/glsa/202003-43

security.netapp.com/advisory/ntap-20190606-0001

support.f5.com/csp/article/K13184144?utm_source=f5support&amp%3Butm_medium=RSS

support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

tomcat.apache.org/security-9.html

usn.ubuntu.com/4128-1

usn.ubuntu.com/4128-2

web.archive.org/web/20200227055048/www.securityfocus.com/bid/108545

www.debian.org/security/2019/dsa-4596

www.oracle.com/security-alerts/cpuapr2020.html

www.oracle.com/security-alerts/cpuApr2021.html

www.oracle.com/security-alerts/cpujan2020.html

wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221

0.011 Low

EPSS

Percentile

84.5%

JSON

Related for OSV:GHSA-JJPQ-GP5Q-8Q6W