CVE-2011-2204: Insertion of Sensitive Information into Log File in Apache Tomcat
1.9
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.23014%
CWE
Published
5/14/2022
Updated
2/21/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:L/AC:M/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.tomcat:tomcat | maven | >= 5.5.0, < 5.5.34 | 5.5.34 |
org.apache.tomcat:tomcat | maven | >= 6.0.0, < 6.0.33 | 6.0.33 |
org.apache.tomcat:tomcat | maven | >= 7.0.0, < 7.0.19 | 7.0.19 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from three key points: 1) JMX error handling in MemoryUserDatabaseMBean
logged sensitive user objects, 2) MemoryUser
's toString()
exposed passwords in serialization, and 3) MemoryUserDatabase.save()
persisted these insecure toString()
outputs. The commit fixes show direct modifications to these areas: replacing object references with safe identifiers in exceptions, splitting toString()
into toXml()
with filtering, and updating persistence logic. These changes confirm the original functions were leaking passwords through error logging and XML serialization.