CVE-2019-0221 — tomcat7 - security update

Description

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

How to fix CVE-2019-0221

To remediate CVE-2019-0221, upgrade the affected package to a fixed version below.

—upgrade to 7.0.56-3+really7.0.94-1 or later
—upgrade to 9.0.16-4 or later
—upgrade to 9.0.17 or later

Is CVE-2019-0221 being exploited?

Moderate — EPSS is 14.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (3)

from 0, < 7.0.56-3+really7.0.94-1
from 0, < 9.0.16-4
>= 9.0.0, < 9.0.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (48)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-0221
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-0221
PATCHgithub.com/apache/tomcat
WEBlists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html