CVE-2019-0221: XSS
First published: Sat Apr 13 2019(Updated: )
Apache Tomcat is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the SSI printenv command. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat7 | <0:7.0.70-38.ep7.el6 | 0:7.0.70-38.ep7.el6 |
| redhat/tomcat8 | <0:8.0.36-42.ep7.el6 | 0:8.0.36-42.ep7.el6 |
| redhat/tomcat-native | <0:1.2.23-21.redhat_21.ep7.el6 | 0:1.2.23-21.redhat_21.ep7.el6 |
| redhat/tomcat7 | <0:7.0.70-38.ep7.el7 | 0:7.0.70-38.ep7.el7 |
| redhat/tomcat8 | <0:8.0.36-42.ep7.el7 | 0:8.0.36-42.ep7.el7 |
| redhat/tomcat-native | <0:1.2.23-21.redhat_21.ep7.el7 | 0:1.2.23-21.redhat_21.ep7.el7 |
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el6 | 0:4.12.0-1.redhat_1.1.el6 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el6 | 0:3.4.1-5.15.11.el6 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el6 | 0:3.3.2-1.Final_redhat_00001.1.el6 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el6 | 0:9.0.21-10.redhat_4.1.el6 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el6 | 0:1.2.21-34.redhat_34.el6 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el6 | 0:1.1.8-1.Final_redhat_1.1.el6 |
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el7 | 0:4.12.0-1.redhat_1.1.el7 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el7 | 0:3.4.1-5.15.11.el7 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el7 | 0:3.3.2-1.Final_redhat_00001.1.el7 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el7 | 0:9.0.21-10.redhat_4.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el7 | 0:1.2.21-34.redhat_34.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el7 | 0:1.1.8-1.Final_redhat_1.1.el7 |
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el8 | 0:4.12.0-1.redhat_1.1.el8 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el8 | 0:3.4.1-5.15.11.el8 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el8 | 0:3.3.2-1.Final_redhat_00001.1.el8 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el8 | 0:9.0.21-10.redhat_4.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el8 | 0:1.2.21-34.redhat_34.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el8 | 0:1.1.8-1.Final_redhat_1.1.el8 |
| IBM GDE | <=3.0.0.2 | |
| Apache Tomcat | >=7.0.0<=7.0.93 | |
| Apache Tomcat | >=8.5.0<=8.5.39 | |
| Apache Tomcat | >=9.0.1<=9.0.17 | |
| Apache Tomcat | =9.0.0-m1 | |
| Apache Tomcat | =9.0.0-m10 | |
| Apache Tomcat | =9.0.0-m11 | |
| Apache Tomcat | =9.0.0-m12 | |
| Apache Tomcat | =9.0.0-m13 | |
| Apache Tomcat | =9.0.0-m14 | |
| Apache Tomcat | =9.0.0-m15 | |
| Apache Tomcat | =9.0.0-m16 | |
| Apache Tomcat | =9.0.0-m17 | |
| Apache Tomcat | =9.0.0-m18 | |
| Apache Tomcat | =9.0.0-m19 | |
| Apache Tomcat | =9.0.0-m2 | |
| Apache Tomcat | =9.0.0-m20 | |
| Apache Tomcat | =9.0.0-m21 | |
| Apache Tomcat | =9.0.0-m22 | |
| Apache Tomcat | =9.0.0-m23 | |
| Apache Tomcat | =9.0.0-m24 | |
| Apache Tomcat | =9.0.0-m25 | |
| Apache Tomcat | =9.0.0-m26 | |
| Apache Tomcat | =9.0.0-m27 | |
| Apache Tomcat | =9.0.0-m3 | |
| Apache Tomcat | =9.0.0-m4 | |
| Apache Tomcat | =9.0.0-m5 | |
| Apache Tomcat | =9.0.0-m6 | |
| Apache Tomcat | =9.0.0-m7 | |
| Apache Tomcat | =9.0.0-m8 | |
| Apache Tomcat | =9.0.0-m9 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone2 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone22 | |
| Apache Tomcat | =9.0.0-milestone23 | |
| Apache Tomcat | =9.0.0-milestone24 | |
| Apache Tomcat | =9.0.0-milestone25 | |
| Apache Tomcat | =9.0.0-milestone26 | |
| Apache Tomcat | =9.0.0-milestone27 | |
| Apache Tomcat | =9.0.0-milestone3 | |
| Apache Tomcat | =9.0.0-milestone4 | |
| Apache Tomcat | =9.0.0-milestone5 | |
| Apache Tomcat | =9.0.0-milestone6 | |
| Apache Tomcat | =9.0.0-milestone7 | |
| Apache Tomcat | =9.0.0-milestone8 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=7.0.0<7.0.94 | 7.0.94 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.0.0<8.5.40 | 8.5.40 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0<9.0.17 | 9.0.17 |
| ubuntu/tomcat8 | <8.5.39-1ubuntu1~18.04.3 | 8.5.39-1ubuntu1~18.04.3 |
| ubuntu/tomcat8 | <8.0.32-1ubuntu1.10 | 8.0.32-1ubuntu1.10 |
| ubuntu/tomcat9 | <9.0.16-3ubuntu0.18.04.1 | 9.0.16-3ubuntu0.18.04.1 |
| ubuntu/tomcat9 | <9.0.16-3ubuntu0.19.04.1 | 9.0.16-3ubuntu0.19.04.1 |
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u12 9.0.43-2~deb11u9 9.0.43-2~deb11u10 9.0.70-2 |
Remedy
SSI is disabled in the default Tomcat configuration. The vulnerable printenv command is intended for debugging, and is recommended to not be enabled for a production website.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-0221 https://nvd.nist.gov/vuln/detail/CVE-2019-0221
- https://bugzilla.redhat.com/show_bug.cgi?id=1713275
- https://access.redhat.com/errata/RHSA-2020:0860
- https://access.redhat.com/errata/RHSA-2020:0861
- https://access.redhat.com/errata/RHSA-2019:3931
- https://access.redhat.com/errata/RHSA-2019:3929
- https://access.redhat.com/security/cve/cve-2019-0221
- https://exchange.xforce.ibmcloud.com/vulnerabilities/161746
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
- http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2019/May/50
- http://www.securityfocus.com/bid/108545
- https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html
- https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/
- https://seclists.org/bugtraq/2019/Dec/43
- https://security.gentoo.org/glsa/202003-43
- https://security.netapp.com/advisory/ntap-20190606-0001/
- https://support.f5.com/csp/article/K13184144?utm_source=f5support&utm_medium=RSS
- https://usn.ubuntu.com/4128-1/
- https://usn.ubuntu.com/4128-2/
- https://www.debian.org/security/2019/dsa-4596
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221/
- https://lists.apache.org/thread.html/6e6e9eacf7b28fd63d249711e9d3ccd4e0a83f556e324aee37be5a8c%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/
- https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS
- https://support.f5.com/csp/article/K13184144?utm_source=f5support&amp;utm_medium=RSS
- https://launchpad.net/bugs/cve/CVE-2019-0221
- http://tomcat.apache.org/security-9.html
- https://github.com/apache/tomcat/commit/15fcd16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1713279
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1713280
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://nvd.nist.gov/vuln/detail/CVE-2019-0221
- https://web.archive.org/web/20200227055048/http://www.securityfocus.com/bid/108545
- https://github.com/apache/tomcat/commit/15fcd166ea2c1bb79e8541b8e1a43da9c452ceea
- https://github.com/apache/tomcat/commit/44ec74c44dcd05cd7e90967c04d40b51440ecd7e
- https://github.com/apache/tomcat/commit/4fcdf706f3ecf35912a600242f89637f5acb32da
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
- https://security.netapp.com/advisory/ntap-20190606-0001
- https://tomcat.apache.org/security-7.html
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- https://usn.ubuntu.com/4128-1
- https://usn.ubuntu.com/4128-2
- https://wwws.nightwatchcybersecurity.com/2019/05/27/xss-in-ssi-printenv-command-apache-tomcat-cve-2019-0221
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46
- https://github.com/advisories/GHSA-jjpq-gp5q-8q6w (Advisory)
- https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3Cb1905aa6-f340-8d0b-58c4-8ac3ebcbfa54@apache.org%3E
- https://github.com/apache/tomcat/commit/4fcdf70
- https://github.com/apache/tomcat/commit/44ec74c
- https://security-tracker.debian.org/tracker/CVE-2019-0221
- https://ubuntu.com/security/notices/USN-4128-1
- https://ubuntu.com/security/notices/USN-4128-2
- https://www.cve.org/CVERecord?id=CVE-2019-0221
- https://ubuntu.com/security/CVE-2019-0221
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-0221?
CVE-2019-0221 is a vulnerability in the printenv command in Apache Tomcat 7.0.0 to 7.0.93, 8.5.0 to 8.5.39, and 9.0.0.M1 to 9.0.0.17 that allows for cross-site scripting (XSS) attacks.
How severe is CVE-2019-0221?
The severity of CVE-2019-0221 is rated as medium.
What is the affected software for CVE-2019-0221?
The affected software versions are Apache Tomcat 7.0.0 to 7.0.93, 8.5.0 to 8.5.39, and 9.0.0.M1 to 9.0.0.17.
How can I fix CVE-2019-0221?
To fix CVE-2019-0221, update your Apache Tomcat installation to version 7.0.94, 8.5.40, or 9.0.18 or later.
Where can I find more information about CVE-2019-0221?
You can find more information about CVE-2019-0221 on the Apache Tomcat security page and the GitHub commit page.
- collector/redhat-cve
- collector/ibm-support
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-0221
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jjpq-gp5q-8q6w
- agent/references
- agent/last-modified-date
- collector/github-advisory
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.93
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.39
- version/apache tomcat/9.0.1
- version/apache tomcat/9.0.17
- version/apache tomcat/9.0.0-m1
- version/apache tomcat/9.0.0-m10
- version/apache tomcat/9.0.0-m11
- version/apache tomcat/9.0.0-m12
- version/apache tomcat/9.0.0-m13
- version/apache tomcat/9.0.0-m14
- version/apache tomcat/9.0.0-m15
- version/apache tomcat/9.0.0-m16
- version/apache tomcat/9.0.0-m17
- version/apache tomcat/9.0.0-m18
- version/apache tomcat/9.0.0-m19
- version/apache tomcat/9.0.0-m2
- version/apache tomcat/9.0.0-m20
- version/apache tomcat/9.0.0-m21
- version/apache tomcat/9.0.0-m22
- version/apache tomcat/9.0.0-m23
- version/apache tomcat/9.0.0-m24
- version/apache tomcat/9.0.0-m25
- version/apache tomcat/9.0.0-m26
- version/apache tomcat/9.0.0-m27
- version/apache tomcat/9.0.0-m3
- version/apache tomcat/9.0.0-m4
- version/apache tomcat/9.0.0-m5
- version/apache tomcat/9.0.0-m6
- version/apache tomcat/9.0.0-m7
- version/apache tomcat/9.0.0-m8
- version/apache tomcat/9.0.0-m9
- version/apache tomcat/9.0.0-milestone1
- version/apache tomcat/9.0.0-milestone10
- version/apache tomcat/9.0.0-milestone11
- version/apache tomcat/9.0.0-milestone12
- version/apache tomcat/9.0.0-milestone13
- version/apache tomcat/9.0.0-milestone14
- version/apache tomcat/9.0.0-milestone15
- version/apache tomcat/9.0.0-milestone16
- version/apache tomcat/9.0.0-milestone17
- version/apache tomcat/9.0.0-milestone18
- version/apache tomcat/9.0.0-milestone19
- version/apache tomcat/9.0.0-milestone2
- version/apache tomcat/9.0.0-milestone20
- version/apache tomcat/9.0.0-milestone21
- version/apache tomcat/9.0.0-milestone22
- version/apache tomcat/9.0.0-milestone23
- version/apache tomcat/9.0.0-milestone24
- version/apache tomcat/9.0.0-milestone25
- version/apache tomcat/9.0.0-milestone26
- version/apache tomcat/9.0.0-milestone27
- version/apache tomcat/9.0.0-milestone3
- version/apache tomcat/9.0.0-milestone4
- version/apache tomcat/9.0.0-milestone5
- version/apache tomcat/9.0.0-milestone6
- version/apache tomcat/9.0.0-milestone7
- version/apache tomcat/9.0.0-milestone8
- version/apache tomcat/9.0.0-milestone9
- package-manager/maven
- package-manager/debian
- package-manager/ubuntu