Apache Tomcat Manager Common Administrative Credentials
Critical Nessus Plugin ID 34970
The management console for the remote web server is protected using a known set of credentials.
Nessus was able to gain access to the Manager web application for the remote Tomcat server using a known set of credentials. A remote attacker can exploit this issue to install a malicious application on the affected server and run arbitrary code with Tomcat's privileges (usually SYSTEM on Windows, or the unprivileged 'tomcat' account on Unix). Note that worms are known to propagate this way.
Edit the associated 'tomcat-users.xml' file and change or remove the affected set of credentials.