7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Apache Tomcat uses an insecure authentication for its administrative user. The application sets a blank password as the default password for the administrative user during the installation process. This allows an attacker to authenticate as an administrator and gain privileged access to the application.
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113
marc.info/?l=bugtraq&m=127420533226623&w=2
marc.info/?l=bugtraq&m=133469267822771&w=2
marc.info/?l=bugtraq&m=136485229118404&w=2
marc.info/?l=bugtraq&m=139344343412337&w=2
markmail.org/thread/wfu4nff5chvkb6xp
secunia.com/advisories/40330
secunia.com/advisories/57126
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
www.securityfocus.com/archive/1/507720/100/0/threaded
www.securityfocus.com/archive/1/516397/100/0/threaded
www.securityfocus.com/bid/36954
www.securitytracker.com/id?1023146
www.vmware.com/security/advisories/VMSA-2011-0003.html
www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
www.vupen.com/english/advisories/2009/3185
www.vupen.com/english/advisories/2010/1559
exchange.xforce.ibmcloud.com/vulnerabilities/54182
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19414
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7033