Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.
This issue was fixed in Apache Tomcat 7.0.17 but the release votes for the 7.0.17 and 7.0.18 release candidates did not pass. Therefore, users must download 7.0.19 to obtain a version that includes a fix.
marc.info/?l=bugtraq&m=132215163318824&w=2
marc.info/?l=bugtraq&m=133469267822771&w=2
marc.info/?l=bugtraq&m=136485229118404&w=2
marc.info/?l=bugtraq&m=139344343412337&w=2
support.apple.com/kb/HT5130
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
www.debian.org/security/2012/dsa-2401
access.redhat.com/errata/RHSA-2011:1845
bugzilla.redhat.com/show_bug.cgi?id=717013
exchange.xforce.ibmcloud.com/vulnerabilities/68238
github.com/apache/tomcat
github.com/apache/tomcat/commit/763a56b45999653ce648a18462b8a826809215b1
github.com/apache/tomcat55/commit/8b81c8c869987e35deed04993ecfcf7be27ca298
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2011-2204
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14931
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19532
web.archive.org/web/20110711083618/securitytracker.com/id?1025712