Skip to content

Insertion of Sensitive Information into Log File in Apache Tomcat

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Feb 21, 2024

Package

maven org.apache.tomcat:tomcat (Maven)

Affected versions

>= 5.5.0, < 5.5.34
>= 6.0.0, < 6.0.33
>= 7.0.0, < 7.0.19

Patched versions

5.5.34
6.0.33
7.0.19

Description

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

This issue was fixed in Apache Tomcat 7.0.17 but the release votes for the 7.0.17 and 7.0.18 release candidates did not pass. Therefore, users must download 7.0.19 to obtain a version that includes a fix.

References

Published by the National Vulnerability Database Jun 29, 2011
Published to the GitHub Advisory Database May 14, 2022
Reviewed Jul 13, 2022
Last updated Feb 21, 2024

Severity

Moderate

EPSS score

0.045%
(18th percentile)

CVE ID

CVE-2011-2204

GHSA ID

GHSA-c57p-3v2g-w9rg

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.