CVE-2011-2204 — Sensitive Information Exposure in Apache Tomcat

CWE-200 — Sensitive Information Exposure CWE-532 — Log File Information Exposure11 documents8 sources

Severity

1.9LOWNVD

EPSS

0.1%

top 73.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedJun 29

Latest updateMay 14

Description

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

CVSS vector

AV:L/AC:M/C:P/I:N/A:NExploitability: 3.4 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat78 versions+77

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

Insertion of Sensitive Information into Log File in Apache Tomcat↗2022-05-14

▶

GHSA

Insertion of Sensitive Information into Log File in Apache Tomcat↗2022-05-14

▶

CVEList

CVE-2011-2204: Apache Tomcat 5↗2011-06-29

▶

💥Exploits & PoCs

Exploit-DB

CyberLink (Multiple Products) - File Project Handling Stack Buffer Overflow (PoC)↗2011-12-09

▶

📋Vendor Advisories

Red Hat

tomcat: World-readable log directory↗2013-02-22

▶

Ubuntu

Tomcat vulnerabilities↗2011-11-08

▶

Red Hat

tomcat: password disclosure vulnerability↗2011-06-27

▶

💬Community

Bugzilla

CVE-2011-2204 tomcat: password disclosure vulnerability↗2011-06-27

▶

Bugzilla

CVE-2011-2204 tomcat: password disclosure vulnerability [fedora-16]↗2011-06-27

▶

Bugzilla

CVE-2011-2204 tomcat: password disclosure vulnerability [fedora-all]↗2011-06-27

▶