CVE-2009-3548

Apache Tomcat - Credentials Management

Title source: rule

Description

The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.

Exploits (4)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotemultiple

https://www.exploit-db.com/exploits/31433

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_upload.rb

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by jduck · rubypocjava

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_deploy.rb

View Code ZIP pw:eip

exploitdb WORKING POC

rubyremotemultiple

https://www.exploit-db.com/exploits/16317

View Code ZIP pw:eip

References (26)

[Vendor Advisory] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113

[Mailing List] http://marc.info/?l=bugtraq&m=127420533226623&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=133469267822771&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=136485229118404&w=2

[Mailing List] http://marc.info/?l=bugtraq&m=139344343412337&w=2

[Various Sources] http://markmail.org/thread/wfu4nff5chvkb6xp

[Patch, Vendor Advisory] http://tomcat.apache.org/security-5.html

[Patch, Vendor Advisory] http://tomcat.apache.org/security-6.html

[Vendor Advisory] http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html

[Vendor Advisory] http://www.vupen.com/english/advisories/2009/3185

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/54182

[Mailing List] https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19414

[Vendor Advisory] http://www.vmware.com/security/advisories/VMSA-2011-0003.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/507720/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/516397/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/36954

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7033

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1023146

[Third Party Advisory] http://secunia.com/advisories/40330

... and 6 more

Scores

EPSS 0.8688

EPSS Percentile 99.4%

Details

CWE

CWE-255

Status published

Products (47)

apache/tomcat 3.0

apache/tomcat 3.1

apache/tomcat 3.1.1

apache/tomcat 3.2

apache/tomcat 3.2.1

apache/tomcat 3.2.2 (2 CPE variants)

apache/tomcat 3.2.3

apache/tomcat 3.2.4

apache/tomcat 3.3

apache/tomcat 3.3.1

... and 37 more

Published Nov 12, 2009

Tracked Since Feb 18, 2026