cbcvebase.
CVE-2017-12615
published 2017-09-19

CVE-2017-12615: When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false)…

high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Affected

47 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat7.0.0 – 7.0.79
apache_software_foundationapache_tomcat
redhatenterprise_linux_desktop
redhatenterprise_linux_desktop
redhatenterprise_linux_eus
redhatenterprise_linux_eus
redhatenterprise_linux_eus
redhatenterprise_linux_eus
redhatenterprise_linux_eus_compute_node
redhatenterprise_linux_eus_compute_node
redhatenterprise_linux_eus_compute_node
redhatenterprise_linux_eus_compute_node
redhatenterprise_linux_for_ibm_z_systems
redhatenterprise_linux_for_ibm_z_systems_eus
redhatenterprise_linux_for_ibm_z_systems_eus
redhatenterprise_linux_for_ibm_z_systems_eus
redhatenterprise_linux_for_ibm_z_systems_eus
redhatenterprise_linux_for_power_big_endian
redhatenterprise_linux_for_power_big_endian_eus
redhatenterprise_linux_for_power_big_endian_eus
redhatenterprise_linux_for_power_big_endian_eus
redhatenterprise_linux_for_power_big_endian_eus
redhatenterprise_linux_for_power_little_endian
redhatenterprise_linux_for_power_little_endian_eus
redhatenterprise_linux_for_power_little_endian_eus

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
cisa8.1HIGH