Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 692402 (CVE-2019-0221) - <www-servers/tomcat-{7.0.93,8.5.39}: XSS in SSI printenv (CVE-2019-0221)
Summary: <www-servers/tomcat-{7.0.93,8.5.39}: XSS in SSI printenv (CVE-2019-0221)
Alias: CVE-2019-0221
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: B4 [glsa+ cve]
Depends on:
Blocks: 656044 CVE-2018-8014 CVE-2018-1336, CVE-2018-8034
  Show dependency tree
Reported: 2019-08-17 22:58 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-19 17:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-08-17 22:58:29 UTC
CVE-2019-0221 (
  The SSI printenv command in Apache Tomcat 9.0.0.M1 to, 8.5.0 to
  8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and
  is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv
  command is intended for debugging and is unlikely to be present in a
  production website.
Comment 1 Miroslav Šulc gentoo-dev 2019-09-21 07:05:59 UTC
slots 7 and 8.5 are clean, slot 9 needs virtual/{jdk,jre} unmasked first to stabilize the newest version of tomcat in that slot.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 20:42:32 UTC
@ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting for!
Comment 3 Miroslav Šulc gentoo-dev 2019-10-26 20:46:24 UTC
(In reply to Thomas Deutschmann from comment #2)
> @ maintainer(s): ping, please name exact virtual/{jre,jdk} you are waiting
> for!

slot 11
Comment 4 Miroslav Šulc gentoo-dev 2020-02-09 23:39:19 UTC
i've dropped 9.0.7 so you can proceed now
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-19 01:10:40 UTC
Tree looks clean?
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 17:03:19 UTC
Added to an existing GLSA request.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 17:17:59 UTC
This issue was resolved and addressed in
 GLSA 202003-43 at
by GLSA coordinator Thomas Deutschmann (whissi).