tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] CVE-2019-0221 Apache Tomcat XSS in SSI printenv
Date Fri, 17 May 2019 10:10:16 GMT
CVE-2019-0221 Apache Tomcat XSS in SSI printenv

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93

Description:
The SSI printenv command echoes user provided data without escaping and
is, therefore, vulnerable to XSS. SSI is disabled by default. The
printenv command is intended for debugging and is unlikely to be present
in a production website.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Disable SSI
- Upgrade to Apache Tomcat 9.0.18 or later
- Upgrade to Apache Tomcat 8.5.40 or later
- Upgrade to Apache Tomcat 7.0.94 or later

Credit:
This issue was identified by Nightwatch Cybersecurity Research and
reported to the Apache Tomcat security team via the bug bounty program
sponsored by the EU FOSSA-2 project.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message