Description

The Windows installer for Apache Tomcat defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.

Remediation

Users of all Tomcat versions may mitigate this issue by one of the following methods:

  • Using the .zip or .tar.gz distributions
  • Specifying a strong password for the admin user when using the Windows installer [l/i]
  • Removing the admin user from the tomcat-users.xml file after the Windows installer has completed
  • Editing the tomcat-users.xml file to provide the admin user with a strong password after the Windows installer has completed

A patch for this issue [1] has been applied to trunk and will be included in the next releases of 6.0.x and 5.5.x

References

CVE-2009-3548

Apache Tomcat Windows Installer insecure default administrative password

Related Vulnerabilities

ASP.NET cookies accessible from client-side scripts

Insecure Transportation Security Protocol Supported (SSLv2)

Tornado weak secret key

Firebase database accessible without authentication

Oracle E-Business Suite Frame Injection (CVE-2017-3528)

Severity

High

Classification

CWE-284 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Configuration Insecure Admin Access Default Credentials