The Windows installer for Apache Tomcat defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.


Users of all Tomcat versions may mitigate this issue by one of the following methods:

  • Using the .zip or .tar.gz distributions
  • Specifying a strong password for the admin user when using the Windows installer [l/i]
  • Removing the admin user from the tomcat-users.xml file after the Windows installer has completed
  • Editing the tomcat-users.xml file to provide the admin user with a strong password after the Windows installer has completed

A patch for this issue [1] has been applied to trunk and will be included in the next releases of 6.0.x and 5.5.x


Related Vulnerabilities