Description

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

Remediation

References

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

http://marc.info/?l=bugtraq&m=132215163318824&w=2

http://marc.info/?l=bugtraq&m=132215163318824&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=139344343412337&w=2

http://secunia.com/advisories/44981

http://secunia.com/advisories/48308

http://secunia.com/advisories/57126

http://securitytracker.com/id?1025712

http://support.apple.com/kb/HT5130

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-7.html

http://www.debian.org/security/2012/dsa-2401

http://www.mandriva.com/security/advisories?name=MDVSA-2011:156

http://www.osvdb.org/73429

http://www.redhat.com/support/errata/RHSA-2011-1845.html

http://www.securityfocus.com/bid/48456

https://bugzilla.redhat.com/show_bug.cgi?id=717013

https://exchange.xforce.ibmcloud.com/vulnerabilities/68238

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14931

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19532

Related Vulnerabilities

CVE-2020-13956 Vulnerability in maven package org.apache.httpcomponents:httpclient

CVE-2011-1419 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2011-4838 Vulnerability in maven package com.sun.grizzly:jruby

CVE-2019-1003038 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector

CVE-2017-12624 Vulnerability in maven package org.apache.cxf:cxf-rt-frontend-jaxrs

Severity

Critical

Classification

CWE-200

Tags

Vendor Advisory Patch