It was discovered that the Tomcat 9 SSI printenv command echoed user provided data without escaping it. An attacker could possibly use this issue to perform an XSS attack. (CVE-2019-0221)
It was discovered that Tomcat 9 did not address HTTP/2 connection window exhaustion on write while addressing CVE-2019-0199. An attacker could possibly use this issue to cause a denial of service. (CVE-2019-10072)
{ "binaries": [ { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "libtomcat9-embed-java" }, { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "libtomcat9-java" }, { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "tomcat9" }, { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "tomcat9-admin" }, { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "tomcat9-common" }, { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "tomcat9-docs" }, { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "tomcat9-examples" }, { "binary_version": "9.0.16-3ubuntu0.18.04.1", "binary_name": "tomcat9-user" } ], "availability": "No subscription required" }
{ "cves_map": { "cves": [ { "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" }, { "score": "low", "type": "Ubuntu" } ], "id": "CVE-2019-0221" }, { "severity": [ { "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "type": "CVSS_V3" }, { "score": "medium", "type": "Ubuntu" } ], "id": "CVE-2019-10072" } ], "ecosystem": "Ubuntu:18.04:LTS" } }