CVE-2011-2204low
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.
References
http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=133469267822771&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/44981
http://secunia.com/advisories/48308
http://secunia.com/advisories/57126
http://securitytracker.com/id?1025712
http://support.apple.com/kb/HT5130
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://www.debian.org/security/2012/dsa-2401
http://www.mandriva.com/security/advisories?name=MDVSA-2011:156
http://www.redhat.com/support/errata/RHSA-2011-1845.html
http://www.securityfocus.com/bid/48456
https://bugzilla.redhat.com/show_bug.cgi?id=717013
https://exchange.xforce.ibmcloud.com/vulnerabilities/68238
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14931
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19532
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:5.5.31:*:*:*:*:*:*:*
Configuration 2
OR
cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
Configuration 3
OR
cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 78925 | RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682) | Nessus | Red Hat Local Security Checks | high |
| 78924 | RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0680) | Nessus | Red Hat Local Security Checks | high |
| 76034 | openSUSE Security Update : tomcat6 (openSUSE-SU-2011:0988-1) | Nessus | SuSE Local Security Checks | medium |
| 75762 | openSUSE Security Update : tomcat6 (openSUSE-SU-2011:0988-1) | Nessus | SuSE Local Security Checks | medium |
| 69584 | Amazon Linux AMI : tomcat6 (ALAS-2011-25) | Nessus | Amazon Linux Local Security Checks | high |
| 68410 | Oracle Linux 5 : tomcat5 (ELSA-2011-1845) | Nessus | Oracle Linux Local Security Checks | medium |
| 68399 | Oracle Linux 6 : tomcat6 (ELSA-2011-1780) | Nessus | Oracle Linux Local Security Checks | high |
| 61211 | Scientific Linux Security Update : tomcat5 on SL5.x i386/x86_64 | Nessus | Scientific Linux Local Security Checks | medium |
| 61184 | Scientific Linux Security Update : tomcat6 on SL6.x | Nessus | Scientific Linux Local Security Checks | high |
| 59677 | GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | medium |
| 6303 | Mac OS X 10.7 < 10.7.3 Multiple Vulnerabilities | Nessus Network Monitor | Generic | critical |
| 57812 | Debian DSA-2401-1 : tomcat6 - several vulnerabilities | Nessus | Debian Local Security Checks | high |
| 57798 | Mac OS X Multiple Vulnerabilities (Security Update 2012-001) (BEAST) | Nessus | MacOS X Local Security Checks | critical |
| 57374 | CentOS 6 : tomcat6 (CESA-2011:1780) | Nessus | CentOS Local Security Checks | high |
| 57356 | RHEL 5 : tomcat5 (RHSA-2011:1845) | Nessus | Red Hat Local Security Checks | medium |
| 57354 | CentOS 5 : tomcat5 (CESA-2011:1845) | Nessus | CentOS Local Security Checks | medium |
| 57255 | SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7689) | Nessus | SuSE Local Security Checks | medium |
| 57023 | RHEL 6 : tomcat6 (RHSA-2011:1780) | Nessus | Red Hat Local Security Checks | high |
| 56746 | Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : tomcat6 vulnerabilities (USN-1252-1) | Nessus | Ubuntu Local Security Checks | high |
| 56573 | Fedora 14 : tomcat6-6.0.26-27.fc14 (2011-13457) | Nessus | Fedora Local Security Checks | high |
| 56572 | Fedora 15 : tomcat6-6.0.32-8.fc15 (2011-13456) | Nessus | Fedora Local Security Checks | low |
| 56551 | Mandriva Linux Security Advisory : tomcat5 (MDVSA-2011:156) | Nessus | Mandriva Local Security Checks | high |
| 56537 | Fedora 16 : tomcat6-6.0.32-17.fc16 (2011-13426) | Nessus | Fedora Local Security Checks | low |
| 56301 | Apache Tomcat 5.5.x < 5.5.34 Multiple Vulnerabilities | Nessus | Web Servers | high |
| 56035 | SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7688) | Nessus | SuSE Local Security Checks | medium |
| 800602 | Apache Tomcat 6.0.x < 6.0.33 Multiple Vulnerabilities | Log Correlation Engine | Web Servers | medium |
| 6018 | Apache Tomcat 6.0.x < 6.0.33 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |
| 56008 | Apache Tomcat 6.0.x < 6.0.33 Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 55759 | Apache Tomcat 7.x < 7.0.17 Multiple Vulnerabilities | Nessus | Web Servers | high |
| 800597 | Apache Tomcat 7.0.x < 7.0.19 Multiple Vulnerabilities | Log Correlation Engine | Web Servers | medium |
| 5996 | Apache Tomcat 7.0.x < 7.0.17 Multiple Vulnerabilities | Nessus Network Monitor | Web Servers | medium |