| Name | CVE-2019-0221 |
| Description | The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1810-1, DLA-1883-1, DSA-4596-1 |
| Debian Bugs | 929895 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| tomcat9 (PTS) | buster | 9.0.31-1~deb10u6 | fixed |
| buster (security) | 9.0.31-1~deb10u12 | fixed | |
| bullseye (security), bullseye | 9.0.43-2~deb11u9 | fixed | |
| sid, trixie, bookworm | 9.0.70-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| tomcat7 | source | jessie | 7.0.56-3+really7.0.94-1 | DLA-1810-1 | ||
| tomcat7 | source | (unstable) | (unfixed) | |||
| tomcat8 | source | jessie | 8.0.14-1+deb8u15 | DLA-1883-1 | ||
| tomcat8 | source | stretch | 8.5.50-0+deb9u1 | DSA-4596-1 | ||
| tomcat8 | source | (unstable) | (unfixed) | |||
| tomcat9 | source | (unstable) | 9.0.16-4 | 929895 |
[stretch] - tomcat7 <ignored> (No components in libservlet3.0-java binary package are affected)
affects debug channel, unlikely to be present in production websites:
https://mail-archives.apache.org/mod_mbox/www-announce/201905.mbox/%3Cb1905aa6-f340-8d0b-58c4-8ac3ebcbfa54@apache.org%3E
https://github.com/apache/tomcat/commit/15fcd16 (9.0.19)
https://github.com/apache/tomcat/commit/4fcdf70 (8.5.39)
https://github.com/apache/tomcat/commit/44ec74c (7.0.93)