PT-2009-5838 · Apache+1 · Apache Tomcat+1
Published
2009-11-12
·
Updated
2019-03-25
·
CVE-2009-3548
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 5.5.0 through 5.5.28
Apache Tomcat versions 6.0.0 through 6.0.20
Description
The issue arises from the Windows installer for Apache Tomcat using a blank default password for the administrative user. This allows remote attackers to gain privileges. The default configuration creates a user named
admin with roles admin and manager and a blank password if not changed during installation.Recommendations
For Apache Tomcat versions 5.5.0 through 5.5.28, change the default password for the administrative user to a secure password.
For Apache Tomcat versions 6.0.0 through 6.0.20, change the default password for the administrative user to a secure password.
As a temporary workaround, consider changing the default configuration to use a secure password for the
admin user until a more permanent solution is applied.Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Tomcat
Hp-Ux