Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2019-0221
Severity
6.1MEDIUM
EPSS
19.3%
top 4.63%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedMay 28
Latest updateJul 23
Description
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7
Affected Packages7 packages
▶CVEListV5apache/apache_tomcat7.0.0 to 7.0.93, 8.5.0 to 8.5.39, Apache Tomcat 9.0.0.M1 to 9.0.0.17+2
🔴Vulnerability Details
7💥Exploits & PoCs
2Nuclei▶
Apache Tomcat - Cross-Site Scripting