This script is Copyright (C) 2008-2014 Tenable Network Security, Inc.
The management console for the remote web server is protected using a
known set of credentials.
It is possible to gain access to the Manager web application for the
remote Tomcat server using a known set of credentials. A remote
attacker can leverage this issue to install a malicious application on
the affected server and run code with Tomcat's privileges (usually
SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix).
Worms are known to propagate this way.
See also :
Edit the associated 'tomcat-users.xml' file and change or remove the
affected set of credentials.
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.3
Public Exploit Available : true