CVE-2019-0232

Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Cuando se ejecuta Windows con enableCmdLineArguments activado, el Servlet CGI en Apache Tomcat 9.0.0.0.M1 a 9.0.17, 8.5.0 a 8.5.39 y 7.0.0.0 a 7.0.93 es vulnerable a una Ejecución Remota de Código debido a un error en la forma en que el JRE pasa los argumentos de la línea de comando a Windows. El Servlet CGI está deshabilitado por defecto. La opción CGI enableCmdLineArguments está desactivada por defecto en Tomcat 9.0.x (y será desactivada por defecto en todas las versiones en respuesta a esta vulnerabilidad). Para una explicación detallada del comportamiento de JRE, consulte el blog de Markus Wulftange (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) y este blog de MSDN archivado (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

A flaw was discovered in Apache Tomcat, where a Java Runtime Environment can pass a command-line argument in the Windows operating system. The execution of arbitrary commands via Tomcat’s Common Gateway Interface (CGI) Servlet, allows an attacker to perform remote code execution.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-11-14 CVE Reserved
2019-04-15 CVE Published
2019-04-17 First Exploit
2024-08-04 CVE Updated
2024-11-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-20: Improper Input Validation
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CAPEC

References (43)

URL	Tag	Source
http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html	X_refsource_misc
http://seclists.org/fulldisclosure/2019/May/4	Mailing List
http://www.securityfocus.com/bid/107906	Third Party Advisory
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat	X_refsource_misc
https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html	Third Party Advisory
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20190419-0001	Third Party Advisory
https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way	Third Party Advisory
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784	Technical Description
https://www.oracle.com/security-alerts/cpuApr2021.html	X_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2020.html	X_refsource_misc
https://www.oracle.com/security-alerts/cpujan2020.html	X_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	X_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	X_refsource_misc
https://www.synology.com/security/advisory/Synology_SA_19_17	X_refsource_confirm
https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232	X_refsource_misc

URL	Date	SRC
https://www.exploit-db.com/exploits/47073	2019-07-03
https://github.com/pyn3rd/CVE-2019-0232	2019-11-27
https://github.com/jas502n/CVE-2019-0232	2019-04-17
https://github.com/jaiguptanick/CVE-2019-0232	2021-09-04
https://github.com/setrus/CVE-2019-0232	2019-11-21
https://github.com/cyy95/CVE-2019-0232-EXP	2019-05-23
https://github.com/xsxtw/CVE-2019-0232	2019-11-27
https://github.com/Nicoslo/Windows-exploitation-Apache-Tomcat-8.5.19-CVE-2019-0232-	2021-02-20
https://github.com/Nicoslo/Windows-Exploitation-Web-Server-Tomcat-8.5.39-CVE-2019-0232	2021-02-20

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:1712	2023-12-08
https://access.redhat.com/security/cve/CVE-2019-0232	2019-11-20
https://bugzilla.redhat.com/show_bug.cgi?id=1701056	2019-11-20

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	>= 7.0.0 <= 7.0.93 Search vendor "Apache" for product "Tomcat" and version " >= 7.0.0 <= 7.0.93"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	>= 8.5.0 <= 8.5.39 Search vendor "Apache" for product "Tomcat" and version " >= 8.5.0 <= 8.5.39"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	>= 9.0.1 <= 9.0.17 Search vendor "Apache" for product "Tomcat" and version " >= 9.0.1 <= 9.0.17"	-	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone1	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone10	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone11	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone12	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone13	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone14	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone15	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone16	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone17	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone18	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone19	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone2	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone20	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone21	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone22	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone23	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone24	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone25	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone26	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone3	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone4	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone5	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone6	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone7	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone8	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe
Apache Search vendor "Apache"	Tomcat Search vendor "Apache" for product "Tomcat"	9.0.0 Search vendor "Apache" for product "Tomcat" and version "9.0.0"	milestone9	Affected	in	Microsoft Search vendor "Microsoft"	Windows Search vendor "Microsoft" for product "Windows"	-	-	Safe