Search for packages
| purl | pkg:apache/tomcat@9.0.17 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4aaa-errb-2qdw
Aliases: CVE-2019-0232 GHSA-8vmx-qmch-mpqg |
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). |
Affected by 1 other vulnerability. |
|
VCID-arkn-bca7-hqam
Aliases: CVE-2019-0221 GHSA-jjpq-gp5q-8q6w |
The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:08.784085+00:00 | Apache Tomcat Importer | Affected by | VCID-arkn-bca7-hqam | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.754403+00:00 | Apache Tomcat Importer | Affected by | VCID-4aaa-errb-2qdw | https://tomcat.apache.org/security-9.html | 38.0.0 |