Skip to main content

CVE-2017-12617

Severity

8.1

Description

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Project

Apache Tomcat

Apache TomEE

Category
Remote Code Execution
Tags
data
operational
Date Disclosed

2017-10-03

Date Discovered

2017-08-07

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
100
Support Lifecycle:
Namespace:
javax

Apache Tomcat 7.0.x

First release:
2011-01-14
First release:
2021-03-31
CVEs:
53
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
87
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.