https://bugzilla.redhat.com/show_bug.cgi?id=1713275
Bug ID: 1713275 Summary: CVE-2019-0221 tomcat: XSS in SSI printenv Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=moderate,public=20190413,reported=20190523,sour ce=customer,cvss3=6.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U /C:L/I:L/A:L,epel-all/tomcat=affected,fedora-all/tomca t=affected,eap-5/jbossweb=affected,eap-6/jbossweb=affe cted,jdg-6/jbossweb=affected,jdg-7/tomcat=affected,jon -3/jbossweb=affected,rhel-6/tomcat6=new,rhel-7/tomcat= new,rhel-8/pki-deps:10.6/pki-servlet-container=new,bpm s-6/tomcat=affected,brms-5/jbossweb=affected,brms-6/to mcat=affected,jdv-6/jbossweb=affected,fuse-6/tomcat=af fected,fuse-7/tomcat=affected Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: darunesh@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, alee@redhat.com, almorale@redhat.com, anstephe@redhat.com, bmaxwell@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, fgavrilo@redhat.com, ibek@redhat.com, ivan.afonichev@gmail.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jkurik@redhat.com, jochrist@redhat.com, jolee@redhat.com, jondruse@redhat.com, jschatte@redhat.com, jstastny@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, lgao@redhat.com, loleary@redhat.com, lpetrovi@redhat.com, mnovotny@redhat.com, paradhya@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, rhcs-maint@redhat.com, rnetuka@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sdaley@redhat.com, spinder@redhat.com, theute@redhat.com, tom.jenkinson@redhat.com, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com Target Milestone: --- Classification: Other
The SSI printenv command echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
Reference: http://tomcat.apache.org/security-9.html
Upstream commit: https://github.com/apache/tomcat/commit/15fcd16