CVE-2019-0221: Cross-Site Scripting (XSS) vulnerability in tomcat-embed-core (Maven)

What is CVE-2019-0221 About?

Apache Tomcat versions 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to Cross-Site Scripting (XSS) due to the SSI printenv command echoing user-provided data without proper escaping. If SSI is enabled and the printenv command is used in a production environment, this could allow attackers to execute arbitrary client-side script in a user's browser. Exploitation requires SSI to be enabled and the use of the printenv command.

Affected Software

org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.40
- >7.0.0, <7.0.94
- >9.0.0, <9.0.17

Technical Details

The vulnerability occurs in Apache Tomcat when the Server Side Includes (SSI) 'printenv' command is enabled and used. The 'printenv' command is designed to display various environment variables, including those derived from user input (e.g., URL parameters, HTTP headers). The flaw is that printenv echoes this user-provided data directly into the HTML response without any sanitization or escaping of special characters. An attacker can craft a malicious request containing script tags or other HTML directives in a parameter that printenv will display. If a user's browser renders this page, the attacker's script will execute in the context of the user's browser session, leading to XSS. This vulnerability's impact is tied to the unusual configuration of SSI being enabled and printenv being used in a non-debugging context.

What is the Impact of CVE-2019-0221?

Successful exploitation may allow attackers to execute arbitrary client-side script in a victim's browser, leading to session hijacking, defacement of the website, or redirection to malicious sites.

What is the Exploitability of CVE-2019-0221?

Exploitation requires that SSI (Server Side Includes) is explicitly enabled in Apache Tomcat, as it is disabled by default, and that the printenv command is utilized on a web page. The complexity is considered low, as crafting a suitable XSS payload is straightforward once the vulnerable endpoint is identified. No authentication is necessarily required if the vulnerable page is publicly accessible, but if it's within an authenticated session, authentication would be a prerequisite. Privilege requirements are low, as it relies on injecting data into a response. This is a remote vulnerability, as the attacker influences the content served to other users. The key constraints are SSI being enabled and printenv being intentionally or accidentally used on a production site.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2019-0221?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

The patch changes the way environment variables are retrieved for the SSI printenv command by specifying that their values are to be encoded as entities, preventing the output from including unescaped characters. This mitigates CVE-2019-0221, which allowed attackers to inject arbitrary content, including scripts, via specially crafted environment variable values, leading to potential XSS vulnerabilities.

Available Upgrade Options

org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.94 → Upgrade to 7.0.94
org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.40 → Upgrade to 8.5.40
org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.17 → Upgrade to 9.0.17

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-0221?

Similar Vulnerabilities: CVE-2019-0232 , CVE-2020-1938 , CVE-2020-8022 , CVE-2021-25329 , CVE-2021-30640

CVE-2019-0221 Cross-Site Scripting (XSS) vulnerability in tomcat-embed-core (Maven)