Apache Tomcat Windows Installer insecure default administrative password

Credit: Mark Thomas
Risk: High
Local: No
Remote: Yes
CWE: CWE-264

CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

CVE-2009-3548: Apache Tomcat Windows Installer insecure default administrative password Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also affected. Description: The Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password. Mitigation: Users of all Tomcat versions may mitigate this issue by one of the following methods: - Using the .zip or .tar.gz distributions - Specifying a strong password for the admin user when using the Windows installer - Removing the admin user from the tomcat-users.xml file after the Windows installer has completed - Editing the tomcat-users.xml file to provide the admin user with a strong password after the Windows installer has completed A patch for this issue [1] has been applied to trunk and will be included in the next releases of 6.0.x and 5.5.x Credit: This issue was reported directly [2] to the tomcat users public mailing list by David Horheim. Security researchers are reminded that undisclosed vulnerabilities in Apache Tomcat should, in the first instance, be reported to the private security mailing list. [3] References: [1] http://svn.apache.org/viewvc?view=revision&revision=834047 [2] http://markmail.org/thread/wfu4nff5chvkb6xp [3] http://tomcat.apache.org/security.html Mark Thomas



Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top