9.3
CVSSv2

CVE-2019-0232

Published: 15/04/2019 Updated: 23/04/2019
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 828
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

A vulnerability in the CGI Servlet of Apache Tomcat could allow an unauthenticated, remote malicious user to execute arbitrary code on a targeted system. The vulnerability occurs when enableCmdLineArguments is enabled on a Windows system and the Java Runtime Environment (JRE) passes command-line arguments to the system. An attacker could exploit this vulnerability by passing command-line arguments to the affected system. A successful exploit could allow the malicious user to execute code on the targeted system. The Apache Software Foundation has issued confirmed this vulnerability however updates are not available.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18, 7.0.19, 7.0.20, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.0.25, 7.0.26, 7.0.27, 7.0.28, 7.0.29, 7.0.30, 7.0.31, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.51, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 7.0.78, 7.0.79, 7.0.80, 7.0.81, 7.0.82, 7.0.83, 7.0.84, 7.0.85, 7.0.93, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.23, 8.5.24, 8.5.27, 8.5.28, 8.5.29, 8.5.39, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.17

Vendor Advisories

Impact: Important Public Date: 2019-04-10 CWE: CWE-20 Bugzilla: 1701056: CVE-2019-0232 tomcat: Remote C ...
Summary When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 900M1 to 9017, 850 to 8539 and 700 to 7093 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows The CGI Servlet is disabled by default The CGI option enableCmdLineArguments i ...

Github Repositories

CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows - CGI-BIN Windows上的Apache Tomcat远程执行代码 cgi-bin 使用: Usage: python CVE-2019-0232py url cmd 编写python脚本: import requests import sys # localhost:8080/cgi-bin/hellobat?&C%3A%5CWindows%5CSystem32%5Cnetexe+user url = sysargv[1] url_dir = "/cgi-bin/hellobat?&

Testing Environment: Tomcat 8539 JDK 18 Modify Configuration webxml <servlet> <servlet-name>cgi</servlet-name> <servlet-class>orgapachecatalinaservletsCGIServlet</servlet-class> <init-param> <param-name>debug</param-name>

References

CWE-20http://www.securityfocus.com/bid/107906https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.htmlhttps://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac@%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767@%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a@%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3@%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35@%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b@%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715@%3Cdev.tomcat.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20190419-0001/https://tools.cisco.com/security/center/viewAlert.x?alertId=60004&vs_f=Alert%20RSS&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Apache%20Tomcat%20CGI%20Servlet%20Arbitrary%20Code%20Execution%20Vulnerability&vs_k=1https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2019-0232https://nvd.nist.govhttps://tools.cisco.com/security/center/viewAlert.x?alertId=60004