Home > Vulnerability Database > CVE-2017-12615

Mend.io Vulnerability Database

CVE-2017-12615

Good to know:

Date: September 18, 2017

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Language: Java

Severity Score

8.1

Related Resources (22)

Url: https://access.redhat.com/errata/RHSA-2017:3081

Url: https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2017:3080

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

Url: https://www.exploit-db.com/exploits/42953/

Url: https://github.com/breaktoprotect/CVE-2017-12615

Url: https://access.redhat.com/errata/RHSA-2017:3113

Url: https://access.redhat.com/errata/RHSA-2017:3114

Url: https://access.redhat.com/security/cve/CVE-2017-12615

Url: https://nvd.nist.gov/vuln/detail/CVE-2017-12615

Url: https://www.synology.com/support/security/Synology_SA_17_54_Tomcat

Url: http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html

Url: https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:0466

Url: https://security.netapp.com/advisory/ntap-20171018-0001/

Url: https://access.redhat.com/errata/RHSA-2018:0465

Url: https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

Url: http://www.securitytracker.com/id/1039392

Url: http://www.securityfocus.com/bid/100901

Url: https://www.mend.io/vulnerability-database/CVE-2017-12615

Severity Score

8.1

Weakness Type (CWE)

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat.embed:tomcat-embed-core:7.0.81,org.apache.tomcat:tomcat-catalina:7.0.81

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2017-12615

Good to know:

Date: September 18, 2017

Language: Java

Severity Score

Related Resources (22)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?