When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
References
Link Providers
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html cve-icon cve-icon
http://www.securityfocus.com/bid/100954 cve-icon cve-icon
http://www.securitytracker.com/id/1039552 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3080 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3081 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3113 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3114 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0268 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0269 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0270 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0271 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0275 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0465 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0466 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2939 cve-icon cve-icon
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2017-12617 cve-icon
https://security.netapp.com/advisory/ntap-20171018-0002/ cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20180117-0002/ cve-icon cve-icon
https://support.f5.com/csp/article/K53173544 cve-icon cve-icon
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us cve-icon cve-icon
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us cve-icon cve-icon
https://tomcat.apache.org/security-7.html cve-icon
https://tomcat.apache.org/security-8.html cve-icon
https://usn.ubuntu.com/3665-1/ cve-icon cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2017-12617 cve-icon
https://www.exploit-db.com/exploits/42966/ cve-icon cve-icon
https://www.exploit-db.com/exploits/43008/ cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html cve-icon cve-icon
History

Wed, 14 Aug 2024 00:15:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2017-10-03T15:00:00Z

Updated: 2024-09-16T23:31:46.235Z

Reserved: 2017-08-07T00:00:00

Link: CVE-2017-12617

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-10-04T01:29:02.120

Modified: 2024-11-21T03:09:54.273

Link: CVE-2017-12617

cve-icon Redhat

Severity : Important

Publid Date: 2017-09-21T00:00:00Z

Links: CVE-2017-12617 - Bugzilla