The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.debian.org/security/2019/dsa-4596
https://usn.ubuntu.com/4128-2/
https://usn.ubuntu.com/4128-1/
https://support.f5.com/csp/article/K13184144?utm_source=f5support&%3Butm_medium=RSS
https://security.netapp.com/advisory/ntap-20190606-0001/
https://security.gentoo.org/glsa/202003-43
https://seclists.org/bugtraq/2019/Dec/43
https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00044.html
https://access.redhat.com/errata/RHSA-2019:3931
https://access.redhat.com/errata/RHSA-2019:3929
http://www.securityfocus.com/bid/108545
http://seclists.org/fulldisclosure/2019/May/50
http://packetstormsecurity.com/files/163457/Apache-Tomcat-9.0.0.M1-Cross-Site-Scripting.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html