GHSA-pjfr-qf3p-3q25

Suggest an improvement
Source
https://github.com/advisories/GHSA-pjfr-qf3p-3q25
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-pjfr-qf3p-3q25/GHSA-pjfr-qf3p-3q25.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-pjfr-qf3p-3q25
Aliases
Published
2018-10-17T16:30:31Z
Modified
2024-07-16T20:21:24.340459Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server
Details

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

References

Affected packages

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.79

Affected versions

7.*

7.0.0
7.0.2
7.0.4
7.0.5
7.0.6
7.0.8
7.0.11
7.0.12
7.0.14
7.0.16
7.0.19
7.0.20
7.0.21
7.0.22
7.0.23
7.0.25
7.0.26
7.0.27
7.0.28
7.0.29
7.0.30
7.0.32
7.0.33
7.0.34
7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53
7.0.54
7.0.55
7.0.56
7.0.57
7.0.59
7.0.61
7.0.62
7.0.63
7.0.64
7.0.65
7.0.67
7.0.68
7.0.69
7.0.70
7.0.72
7.0.73
7.0.75
7.0.76
7.0.77
7.0.78