CVE-2019-0221

Public on 2019-07-17
Modified on 2019-07-25
Description
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Severity
Low
CVSS v3 Base Score
5.0
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 tomcat8 2019-07-17 23:21 ALAS-2019-1234
Amazon Linux 1 tomcat7 2019-07-17 23:23 ALAS-2019-1235

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
NVD CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
NVD CVSSv3 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N