You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2019/05/17 10:10:16 UTC

[SECURITY] CVE-2019-0221 Apache Tomcat XSS in SSI printenv

CVE-2019-0221 Apache Tomcat XSS in SSI printenv

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93

Description:
The SSI printenv command echoes user provided data without escaping and
is, therefore, vulnerable to XSS. SSI is disabled by default. The
printenv command is intended for debugging and is unlikely to be present
in a production website.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Disable SSI
- Upgrade to Apache Tomcat 9.0.18 or later
- Upgrade to Apache Tomcat 8.5.40 or later
- Upgrade to Apache Tomcat 7.0.94 or later

Credit:
This issue was identified by Nightwatch Cybersecurity Research and
reported to the Apache Tomcat security team via the bug bounty program
sponsored by the EU FOSSA-2 project.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html