CVE-2019-0232

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.17 Apache Tomcat versions 8.5.0 through 8.5.39 Apache Tomcat versions 7.0.0 through 7.0.93

Description The issue is related to the CGI Servlet in Apache Tomcat, which is vulnerable to Remote Code Execution when running on Windows with the enableCmdLineArguments option enabled. This is due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default, and the enableCmdLineArguments option is also disabled by default in Tomcat 9.0.x. The vulnerability can be exploited by a remote attacker to execute arbitrary code due to insufficient input validation.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.17, consider disabling the CGI Servlet or the enableCmdLineArguments option as a temporary workaround. For Apache Tomcat versions 8.5.0 through 8.5.39, consider disabling the CGI Servlet or the enableCmdLineArguments option as a temporary workaround. For Apache Tomcat versions 7.0.0 through 7.0.93, consider disabling the CGI Servlet or the enableCmdLineArguments option as a temporary workaround. As a general mitigation measure, restrict access to the CGI Servlet to minimize the risk of exploitation.