CVE-2011-2204 Information

Description

Apache Tomcat 5.5.x before 5.5.34 6.x before 6.0.33 and 7.x before 7.0.17 when the MemoryUserDatabase is used creates log entries containing passwords upon encountering errors in JMX user creation which allows local users to obtain sensitive information by reading a log file.

Reference

http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://marc.info/?l=bugtraq&m=132215163318824&w=2 http://marc.info/?l=bugtraq&m=133469267822771&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/44981 http://secunia.com/advisories/48308 http://secunia.com/advisories/57126 http://securitytracker.com/id?1025712 http://support.apple.com/kb/HT5130 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html http://www.debian.org/security/2012/dsa-2401 http://www.mandriva.com/security/advisories?name=MDVSA-2011:156 http://www.osvdb.org/73429 http://www.redhat.com/support/errata/RHSA-2011-1845.html http://www.securityfocus.com/bid/48456 https://bugzilla.redhat.com/show_bug.cgi?id=717013 https://exchange.xforce.ibmcloud.com/vulnerabilities/68238 https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@3Cdev.tomcat.apache.org3E https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A14931 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A19532