What is CVE-2019-0221?

CVE-2019-0221 is a vulnerability in Apache Tomcat. Published 2019-05-28.

Is CVE-2019-0221 known to be exploited?

19 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tomcat

CVE-2019-0221

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intend…

EPSS: 0.145 (94.6th percentile) — read the EPSS interpretation.

Affected products

Apache Tomcat — versions Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, 7.0.0 to 7.0.93

Public proof-of-concept exploits

References

20190529 XSS in SSI printenv command - Apache Tomcat - CVE-2019-0221 (mailing-list, x_refsource_FULLDISC)
[debian-lts-announce] 20190530 [SECURITY] [DLA 1810-1] tomcat7 security update (mailing-list, x_refsource_MLIST)
108545 (vdb-entry, x_refsource_BID)
FEDORA-2019-1a3f878d27 (vendor-advisory, x_refsource_FEDORA)
openSUSE-SU-2019:1673 (vendor-advisory, x_refsource_SUSE)
FEDORA-2019-d66febb5df (vendor-advisory, x_refsource_FEDORA)
openSUSE-SU-2019:1808 (vendor-advisory, x_refsource_SUSE)
[debian-lts-announce] 20190813 [SECURITY] [DLA 1883-1] tomcat8 security update (mailing-list, x_refsource_MLIST)
USN-4128-1 (vendor-advisory, x_refsource_UBUNTU)
USN-4128-2 (vendor-advisory, x_refsource_UBUNTU)

Frequently asked questions

What is CVE-2019-0221?: CVE-2019-0221 is a vulnerability in Apache Tomcat. Published 2019-05-28.
Is CVE-2019-0221 known to be exploited?: 19 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.