CVE-2019-0232

NameCVE-2019-0232
DescriptionWhen running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat8 (PTS)jessie8.0.14-1+deb8u11fixed
jessie (security)8.0.14-1+deb8u15fixed
stretch (security), stretch8.5.50-0+deb9u1fixed
tomcat9 (PTS)buster9.0.16-4fixed
bullseye, sid9.0.27-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat8source(unstable)(not affected)
tomcat9source(unstable)(not affected)

Notes

- tomcat9 <not-affected> (Windows-specific)
- tomcat8 <not-affected> (Windows-specific)
https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html

Search for package or bug name: Reporting problems