Description

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

Remediation

References

http://www.osvdb.org/73429

https://bugzilla.redhat.com/show_bug.cgi?id=717013

http://tomcat.apache.org/security-6.html

http://tomcat.apache.org/security-5.html

http://tomcat.apache.org/security-7.html

http://secunia.com/advisories/44981

http://securitytracker.com/id?1025712

http://www.securityfocus.com/bid/48456

http://www.redhat.com/support/errata/RHSA-2011-1845.html

http://www.mandriva.com/security/advisories?name=MDVSA-2011:156

http://support.apple.com/kb/HT5130

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html

http://www.debian.org/security/2012/dsa-2401

http://marc.info/?l=bugtraq&m=132215163318824&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://marc.info/?l=bugtraq&m=139344343412337&w=2

http://secunia.com/advisories/57126

http://marc.info/?l=bugtraq&m=133469267822771&w=2

https://exchange.xforce.ibmcloud.com/vulnerabilities/68238

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19532

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14931

http://secunia.com/advisories/48308

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2020-26234 Vulnerability in maven package org.opencastproject:opencast-kernel

CVE-2021-32808 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

CVE-2021-31522 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2021-23413 Vulnerability in npm package jszip

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-hive

Severity

Critical

Classification

CWE-200

Tags

Patch Vendor Advisory