CVE-2017-12617
HIGH8.1⚠ KEVEPSS 94.4%tomcat7 - security update
Published: 5/14/2022Modified: 3/9/2026Added to CISA KEV: 3/25/2022
Description
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Affected packages (3)
- Debian/tomcat7from 0, < 7.0.28-4+deb7u16
- Maven/org.apache.tomcat.embed:tomcat-embed-core>= 9.0.0.M1, < 9.0.1
- Maven/org.apache.tomcat:tomcat-catalina>= 9.0.0.M1, < 9.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H |
References (84)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12617
- PATCHhttps://github.com/apache/tomcat
- WEBhttps://access.redhat.com/errata/RHSA-2017:3080
- WEBhttps://access.redhat.com/errata/RHSA-2017:3081
- WEBhttps://access.redhat.com/errata/RHSA-2017:3113
- WEBhttps://access.redhat.com/errata/RHSA-2017:3114
- WEBhttps://access.redhat.com/errata/RHSA-2018:0268
- WEBhttps://access.redhat.com/errata/RHSA-2018:0269
- WEBhttps://access.redhat.com/errata/RHSA-2018:0270
- WEBhttps://access.redhat.com/errata/RHSA-2018:0271
- WEBhttps://access.redhat.com/errata/RHSA-2018:0275
- WEBhttps://access.redhat.com/errata/RHSA-2018:0465
- WEBhttps://access.redhat.com/errata/RHSA-2018:0466
- WEBhttps://access.redhat.com/errata/RHSA-2018:2939
- WEBhttps://github.com/apache/tomcat/commit/24aea94807f940ee44aa550378dc903289039ddd
- WEBhttps://github.com/apache/tomcat/commit/31e99502e2c602449a2f8835bd23ade772b77333
- WEBhttps://github.com/apache/tomcat/commit/327e8a6644e188764325a013aa2725a60f1b37e5
- WEBhttps://github.com/apache/tomcat/commit/46dfedbc0523d7182be97f4244d7b6c942164485
- WEBhttps://github.com/apache/tomcat/commit/4cf7dab88282c8f3c92f0b961cdb0096e1d63e88
- WEBhttps://github.com/apache/tomcat/commit/506d862e7edfa991de198e0f2e4c4540830fa531
- WEBhttps://github.com/apache/tomcat/commit/512a3c3aecdb52de092c6bacddd71b85c4feda06
- WEBhttps://github.com/apache/tomcat/commit/74ad0e216c791454a318c1811300469eedc5c6f3
- WEBhttps://github.com/apache/tomcat/commit/a9dd96046d7acb0357c6b7b9e6cc70d186fae663
- WEBhttps://github.com/apache/tomcat/commit/b577f9a7996b92b650b1649af3c3bae11c120db9
- WEBhttps://github.com/apache/tomcat/commit/b7e0435d17aba69f16ae9e8a78ad0f1565b552af
- WEBhttps://github.com/apache/tomcat/commit/bbcbb749c75056a2781f37038d63e646fe972104
- WEBhttps://github.com/apache/tomcat/commit/c177e9668d1278710bdb14c0eb8d2702b3655f5a
- WEBhttps://github.com/apache/tomcat/commit/cf0b37beb0622abdf24acc7110daf883f3fe4f95
- WEBhttps://github.com/apache/tomcat/commit/d5b170705d24c386d76038e5989045c89795c28c
- WEBhttps://github.com/apache/tomcat/commit/e650cf1b83e441dbd3863f3f6b61c972cafce19e
- WEBhttps://github.com/apache/tomcat/commit/f1b85da754c4760787d68a99e839b50878140b57
- WEBhttps://github.com/apache/tomcat/commit/fd52f8601170b91f9d7162510e54563e5bf6bdfe
- WEBhttps://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
- WEBhttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- … 34 more