CVE-2019-0221 – org.apache.tomcat.embed:tomcat-embed-core

Package

Manager: maven
Name: org.apache.tomcat.embed:tomcat-embed-core
Vulnerable Version: >=9.0.0 <9.0.17 || >=8.0.0 <8.5.40 || >=7.0.0 <7.0.94

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.04085 pctl0.88117

Details

Cross-site scripting in Apache Tomcat The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Metadata

Created: 2019-05-30T03:30:42Z
Modified: 2024-03-11T14:33:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/05/GHSA-jjpq-gp5q-8q6w/GHSA-jjpq-gp5q-8q6w.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-jjpq-gp5q-8q6w
Finding: F008
Auto approve: 1