Vulnerability DatabaseCVE-2017-12617
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2017-12617
October 03, 2017
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Affected Packages
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.1
Fix Suggestion:
Update to version 9.0.1
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=7.0.0 <7.0.82
Fix Suggestion:
Update to version 7.0.82
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=8.5.0 <8.5.23
Fix Suggestion:
Update to version 8.5.23
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=7.0.0 <7.0.82
Fix Suggestion:
Update to version 7.0.82
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=8.0.0-RC1 <8.0.47
Fix Suggestion:
Update to version 8.0.47
org.apache.tomcat.embed:tomcat-embed-core (JAVA):
Affected version(s) >=8.0.0-RC1 <8.0.47
Fix Suggestion:
Update to version 8.0.47
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=9.0.0.M1 <9.0.1
Fix Suggestion:
Update to version 9.0.1
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=8.5.0 <8.5.23
Fix Suggestion:
Update to version 8.5.23
Related ResourcesĀ (90)
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
https://web.archive.org/web/20201209024734/http://www.securitytracker.com/id/1039552
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
https://www.exploit-db.com/exploits/42966
https://github.com/apache/tomcat/commit/b577f9a7996b92b650b1649af3c3bae11c120db9
https://access.redhat.com/errata/RHSA-2017:3080
https://github.com/apache/tomcat/commit/c177e9668d1278710bdb14c0eb8d2702b3655f5a
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
https://access.redhat.com/errata/RHSA-2017:3114
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
https://www.exploit-db.com/exploits/43008/
https://access.redhat.com/errata/RHSA-2018:0268
https://access.redhat.com/errata/RHSA-2017:3081
http://www.securityfocus.com/bid/100954
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
https://access.redhat.com/errata/RHSA-2018:0466
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
http://www.securitytracker.com/id/1039552
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us
https://access.redhat.com/errata/RHSA-2018:0270
https://github.com/apache/tomcat/commit/e650cf1b83e441dbd3863f3f6b61c972cafce19e
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12617
https://usn.ubuntu.com/3665-1
https://usn.ubuntu.com/3665-1/
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
https://web.archive.org/web/20171110171954/http://www.securityfocus.com/bid/100954
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://github.com/apache/tomcat/commit/24aea94807f940ee44aa550378dc903289039ddd
https://www.exploit-db.com/exploits/43008
https://access.redhat.com/errata/RHSA-2018:0275
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat/commit/b7e0435d17aba69f16ae9e8a78ad0f1565b552af
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://nvd.nist.gov/vuln/detail/CVE-2017-12617
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html
https://github.com/apache/tomcat/commit/bbcbb749c75056a2781f37038d63e646fe972104
https://github.com/apache/tomcat/commit/fd52f8601170b91f9d7162510e54563e5bf6bdfe
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat/commit/512a3c3aecdb52de092c6bacddd71b85c4feda06
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
https://security.netapp.com/advisory/ntap-20180117-0002
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E
https://access.redhat.com/errata/RHSA-2017:3113
https://access.redhat.com/errata/RHSA-2018:0269
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
https://access.redhat.com/security/cve/CVE-2017-12617
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
https://access.redhat.com/errata/RHSA-2018:2939
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat/commit/46dfedbc0523d7182be97f4244d7b6c942164485
https://github.com/apache/tomcat/commit/327e8a6644e188764325a013aa2725a60f1b37e5
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
https://www.exploit-db.com/exploits/42966/
https://github.com/apache/tomcat/commit/31e99502e2c602449a2f8835bd23ade772b77333
https://access.redhat.com/errata/RHSA-2018:0465
https://security.netapp.com/advisory/ntap-20171018-0002/
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat
https://security.netapp.com/advisory/ntap-20171018-0002
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat/commit/a9dd96046d7acb0357c6b7b9e6cc70d186fae663
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
https://support.f5.com/csp/article/K53173544
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat/commit/74ad0e216c791454a318c1811300469eedc5c6f3
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat/commit/4cf7dab88282c8f3c92f0b961cdb0096e1d63e88
https://github.com/apache/tomcat/commit/cf0b37beb0622abdf24acc7110daf883f3fe4f95
https://access.redhat.com/errata/RHSA-2018:0271
https://github.com/apache/tomcat/commit/d5b170705d24c386d76038e5989045c89795c28c
https://security.netapp.com/advisory/ntap-20180117-0002/
https://github.com/apache/tomcat/commit/f1b85da754c4760787d68a99e839b50878140b57
https://github.com/apache/tomcat/commit/506d862e7edfa991de198e0f2e4c4540830fa531
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
8.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Exploit Maturity
HIGH
CVSS v2
Base Score:
6.8
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Unrestricted Upload of File with Dangerous Type
CWE-434
EPSS
Base Score:
94.36