Vulnerability in Apache Tomcat
CVE-2019-0232
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command lin…
EPSS: 0.942 (99.9th percentile) — read the EPSS interpretation.
Affected products
- Apache Tomcat — versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, 7.0.0 to 7.0.93
Public proof-of-concept exploits
- pyn3rd/CVE-2019-0232
- jas502n/CVE-2019-0232
- jaiguptanick/CVE-2019-0232
- setrus/CVE-2019-0232
- cyy95/CVE-2019-0232-EXP
- Dharan10/CVE-2019-0232
- Jorge2Rubio/CVE-2019-0232
- Nicoslo/Windows-Exploitation-Web-Server-Tomcat-8.5.39-CVE-2019-0232
- Nicoslo/Windows-exploitation-Apache-Tomcat-8.5.19-CVE-2019-0232-
- r4vl1t0/CVE-2019-0232
References
- [tomcat-users] 20190410 [SECURITY] CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows (mailing-list, x_refsource_MLIST)
- [tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20190415 svn commit: r1857587 - in /ofbiz: ofbiz-framework/branches/release18.12/build.gradle ofbiz-plugins/branches/release18.12/example/build.gradle (mailing-list, x_refsource_MLIST)
- [tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20190415 svn commit: r1857586 - in /ofbiz: ofbiz-framework/trunk/build.gradle ofbiz-plugins/trunk/example/build.gradle (mailing-list, x_refsource_MLIST)
- [tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20190415 svn commit: r1857588 - in /ofbiz: ofbiz-framework/branches/release17.12/build.gradle ofbiz-plugins/branches/release17.12/example/build.gradle (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20190415 [jira] [Commented] (OFBIZ-10920) Update Tomcat to 9.0.18 due to CVE-2019-0232 (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20190415 [jira] [Closed] (OFBIZ-10920) Update Tomcat to 9.0.18 due to CVE-2019-0232 (mailing-list, x_refsource_MLIST)
- 107906 (vdb-entry, x_refsource_BID)
Frequently asked questions
- What is CVE-2019-0232?
- CVE-2019-0232 is a vulnerability in Apache Tomcat. Published 2019-04-15.
- Is CVE-2019-0232 known to be exploited?
- 51 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.