CVE-2017-12616
published 2017-09-19CVE-2017-12616: When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for…
PriorityP267high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EPSS
70.80%
99.3th percentile
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Affected
79 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable only when VirtualDirContext is configured in Apache Tomcat 7.0.0 through 7.0.80; detect by inspecting Tomcat context configuration for VirtualDirContext usage ↗
- →Monitor for specially crafted HTTP requests targeting JSP resources that may reveal JSP source code or bypass security constraints when VirtualDirContext is in use ↗
- →Upstream fix is available at SVN revision 1804729; use this to diff and understand the exact request-handling flaw for building detection signatures ↗
- ·VirtualDirContext is not intended for production use; exploitation is only possible if it has been explicitly configured, limiting the real-world attack surface ↗
- ·Affected version range is strictly Apache Tomcat 7.0.0 to 7.0.80; Tomcat 5 and 6 are listed as not affected or out of scope by Red Hat ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
ghsa·2022-05-14
CVE-2017-12616 [HIGH] CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
OSV
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
osv·2022-05-14
CVE-2017-12616 [HIGH] Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
OSV
tomcat7, tomcat8 vulnerabilities
osv·2018-05-30·CVSS 7.5
CVE-2017-12616 [HIGH] tomcat7, tomcat8 vulnerabilities
tomcat7, tomcat8 vulnerabilities
It was discovered that Tomcat incorrectly handled being configured with
HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP
file to the server and execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-12616,
CVE-2017-12617)
It was discovered that Tomcat contained incorrect documentation regarding
description of the search algorithm used by the CGI Servlet to identify
which script to execute. This issue only affected Ubuntu 17.10.
(CVE-2017-15706)
It was discovered that Tomcat incorrectly handled en empty string URL
pattern in security constraint definitions. A remote attacker could
possibly use this issue to gain access to web application resources,
contrary to expectations.
OSV
CVE-2017-12616: When using a VirtualDirContext with Apache Tomcat 7
osv·2017-09-19·CVSS 7.5
CVE-2017-12616 [HIGH] CVE-2017-12616: When using a VirtualDirContext with Apache Tomcat 7
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Ubuntu
tomcat7 vulnerabilities
vendor_ubuntu·2025-02-21
CVE-2017-12616 tomcat7 vulnerabilities
Title: tomcat7 vulnerabilities
Summary: tomcat7 could be made to execute arbitrary code.
It was discovered that Tomcat incorrectly handled being configured with
HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP
file to the server and execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2018-05-30·CVSS 7.5
CVE-2017-12616 [HIGH] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Several security issues were fixed in Tomcat.
It was discovered that Tomcat incorrectly handled being configured with
HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP
file to the server and execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-12616,
CVE-2017-12617)
It was discovered that Tomcat contained incorrect documentation regarding
description of the search algorithm used by the CGI Servlet to identify
which script to execute. This issue only affected Ubuntu 17.10.
(CVE-2017-15706)
It was discovered that Tomcat incorrectly handled en empty string URL
pattern in security constraint definitions. A remote attacker could
possibly use this issue to gain access to
Red Hat
tomcat: Information Disclosure when using VirtualDirContext
vendor_redhat·2017-09-19·CVSS 7.5
CVE-2017-12616 [HIGH] CWE-200 tomcat: Information Disclosure when using VirtualDirContext
tomcat: Information Disclosure when using VirtualDirContext
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Statement: VirtualDirContext is not designed to be used in production, but only to ease development with IDEs without needing to fully republish jars in WEB-INF/lib.
Package: tomcat5 (Red Hat Enterprise Linux 5) - Not affected
Package: tomcat6 (Red Hat Enterprise Linux 6) - Will not fix
Package: tomcat (Red Hat Enterprise Linux 7) - Will not fix
Package: jbossweb (Red Hat JBoss Data Grid 6) - Not affected
Package: jbossweb (Red Hat JBoss Data Virtualization 6) - Not affected
Package: jbossweb (Red
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext [epel-6]
bugzilla·2017-09-19·CVSS 7.5
CVE-2017-12616 [HIGH] CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext [epel-6]
CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-6.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the
Bugzilla
CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext
bugzilla·2017-09-19·CVSS 7.5
CVE-2017-12616 [HIGH] CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext
CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Affected versions: 7.0.0 to 7.0.80
Upstream patch:
https://svn.apache.org/viewvc?view=revision&revision=1804729
External References:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
Discussion:
Created jbossweb tracking bugs for this issue:
Affects: openshift-1 [bug 1493224]
Created tomcat tracking bugs for this issue:
Affects: epel-6 [bug 1493225]
---
VirtualDirContext is not designed to be used in Production. Also, because the information disclosed is
http://www.securityfocus.com/bid/100897http://www.securitytracker.com/id/1039393https://access.redhat.com/errata/RHSA-2018:0465https://access.redhat.com/errata/RHSA-2018:0466https://lists.apache.org/thread.html/1df9b4552464caa42047062fe7175da0da06c18ecc8daf99258bbda6%40%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2018/06/msg00008.htmlhttps://security.netapp.com/advisory/ntap-20171018-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_ushttps://usn.ubuntu.com/3665-1/https://www.synology.com/support/security/Synology_SA_17_54_Tomcathttp://www.securityfocus.com/bid/100897http://www.securitytracker.com/id/1039393https://access.redhat.com/errata/RHSA-2018:0465https://access.redhat.com/errata/RHSA-2018:0466https://lists.apache.org/thread.html/1df9b4552464caa42047062fe7175da0da06c18ecc8daf99258bbda6%40%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2018/06/msg00008.htmlhttps://security.netapp.com/advisory/ntap-20171018-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_ushttps://usn.ubuntu.com/3665-1/https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
2017-09-19
Published