CVE-2019-0232 (High) detected in tomcat-catalina-7.0.42.jar - autoclosed

[mend-for-github-com]

CVE-2019-0232 - High Severity Vulnerability

Vulnerable Library - tomcat-catalina-7.0.42.jar

Tomcat Servlet Engine Core Classes and Standard implementations

Library home page: http://tomcat.apache.org/

Dependency Hierarchy:

• ❌ tomcat-catalina-7.0.42.jar (Vulnerable Library)

Found in HEAD commit: 910335bf446a1a65011c17bf5badb72c4d4efc50

Vulnerability Details

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Publish Date: 2019-04-15

URL: CVE-2019-0232

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232

Release Date: 2019-04-15

Fix Resolution: 9.0.18,8.5.40,7.0.94

[mend-for-github-com]

ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #114