CVE-2017-12617

Summary

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat9.0.0.M1 to 9.0.0affected
Apache Software FoundationApache Tomcat8.5.0 to 8.5.22affected
Apache Software FoundationApache Tomcat8.0.0.RC1 to 8.0.46affected
Apache Software FoundationApache Tomcat7.0.0 to 7.0.81affected

Weaknesses

  • Remote Code Execution

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: no
    • Technical Impact: total

Additional References

References