CVE-2019-0232

NameCVE-2019-0232
DescriptionWhen running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat8 (PTS)stretch8.5.54-0+deb9u1fixed
stretch (security)8.5.54-0+deb9u3fixed
tomcat9 (PTS)buster, buster (security)9.0.31-1~deb10u2fixed
bullseye, sid9.0.38-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat8source(unstable)(not affected)
tomcat9source(unstable)(not affected)

Notes

- tomcat9 <not-affected> (Windows-specific)
- tomcat8 <not-affected> (Windows-specific)
https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html

Search for package or bug name: Reporting problems