CVE-2017-12615
- Source
- https://cve.org/CVERecord?id=CVE-2017-12615
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12615.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-12615
- Aliases
- Downstream
- Related
- Published
- 2017-09-19T13:29:00.190Z
- Modified
- 2026-04-11T12:04:50.119083Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
- Database specific
{ "unresolved_ranges": [ { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4" } ], "cpe": "cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6" } ], "cpe": "cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7" } ], "cpe": "cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "2.0.0" } ], "cpe": "cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "3.0.0" } ], "cpe": "cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "6.0" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.5" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.5" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.0_s390x" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4_s390x" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.5_s390x" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6_s390x" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7_s390x" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4_ppc64" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.5_ppc64" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6_ppc64" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7_ppc64" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.5_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "6.0" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "9.2_ppc64le" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.4" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.6" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "7.7" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*" }, { "source": "CPE_FIELD", "extracted_events": [ { "last_affected": "6.0" } ], "cpe": "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*" } ] }- References
-
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615
- http://www.securityfocus.com/bid/100901
- http://www.securitytracker.com/id/1039392
- https://access.redhat.com/errata/RHSA-2017:3080
- https://access.redhat.com/errata/RHSA-2017:3081
- https://access.redhat.com/errata/RHSA-2017:3113
- https://access.redhat.com/errata/RHSA-2017:3114
- https://access.redhat.com/errata/RHSA-2018:0465
- https://access.redhat.com/errata/RHSA-2018:0466
- https://security.netapp.com/advisory/ntap-20171018-0001/
- https://www.exploit-db.com/exploits/42953/
- https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
- https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
- https://github.com/breaktoprotect/CVE-2017-12615
Affected packages
Git / github.com/apache/tomcat
Affected ranges
- Type
- GIT
- Repo
- https://github.com/apache/tomcat
- Events
-
IntroducedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedLast affected
- Database specific
{ "source": "CPE_FIELD", "extracted_events": [ { "introduced": "7.0.0" }, { "last_affected": "7.0.79" }, { "introduced": "0" }, { "last_affected": "7.0" }, { "last_affected": "7.0_ppc64" }, { "last_affected": "7.0_ppc64le" } ], "cpe": [ "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*" ] }