When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
References
Link Providers
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html cve-icon cve-icon
http://www.securityfocus.com/bid/100901 cve-icon cve-icon
http://www.securitytracker.com/id/1039392 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3080 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3081 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3113 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3114 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0465 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0466 cve-icon cve-icon
https://github.com/breaktoprotect/CVE-2017-12615 cve-icon cve-icon
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2017-12615 cve-icon
https://security.netapp.com/advisory/ntap-20171018-0001/ cve-icon cve-icon
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2017-12615 cve-icon
https://www.exploit-db.com/exploits/42953/ cve-icon cve-icon
https://www.synology.com/support/security/Synology_SA_17_54_Tomcat cve-icon cve-icon
History

Wed, 14 Aug 2024 00:15:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2017-09-19T13:00:00Z

Updated: 2024-09-17T01:56:38.037Z

Reserved: 2017-08-07T00:00:00

Link: CVE-2017-12615

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-09-19T13:29:00.190

Modified: 2024-11-21T03:09:53.973

Link: CVE-2017-12615

cve-icon Redhat

Severity : Important

Publid Date: 2017-09-19T00:00:00Z

Links: CVE-2017-12615 - Bugzilla