CVE-2011-2204

Description

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19532

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14931

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://exchange.xforce.ibmcloud.com/vulnerabilities/68238

https://bugzilla.redhat.com/show_bug.cgi?id=717013

http://www.securityfocus.com/bid/48456

http://www.redhat.com/support/errata/RHSA-2011-1845.html

http://www.osvdb.org/73429

http://www.mandriva.com/security/advisories?name=MDVSA-2011:156

http://www.debian.org/security/2012/dsa-2401

http://tomcat.apache.org/security-7.html

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-5.html

http://support.apple.com/kb/HT5130

http://securitytracker.com/id?1025712

http://secunia.com/advisories/57126

http://secunia.com/advisories/48308

http://secunia.com/advisories/44981

http://marc.info/?l=bugtraq&m=139344343412337&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=132215163318824&w=2

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

Details

Source: Mitre, NVD

Risk Information

CVSS v2

CVSS v3