CVE-2017-12617: When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the…

high8.1CVSS 3.1

AVNACHPRNUINSUCHIHAH

KEVITWEXPLOIT

CISA Known Exploited Vulnerabilitydue 2022-04-15

Exploited in the wild

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Affected

155 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	tomcat	—	—
apache	tomcat	>= 7.0.0 < 7.0.82	7.0.82
apache	tomcat	>= 8.0 < 8.0.47	8.0.47
apache	tomcat	>= 8.5.0 < 8.5.23	8.5.23
apache	tomcat	>= 9.0.0 < 9.0.1	9.0.1
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
apache_software_foundation	apache_tomcat	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
netapp	active_iq_unified_manager	>= 7.3	—
netapp	active_iq_unified_manager	>= 9.5	—
oracle	agile_plm	—	—
oracle	agile_plm	—	—
oracle	agile_plm	—	—
oracle	agile_plm	—	—
oracle	communications_instant_messaging_server	—	—
oracle	endeca_information_discovery_integrator	—	—
oracle	endeca_information_discovery_integrator	—	—
oracle	enterprise_manager_for_mysql_database	—	—
oracle	financial_services_analytical_applications_infrastructure	7.3.3.0.0 – 7.3.5.3.0	—

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

osv8.1HIGH

vulncheck8.1HIGH

cisa8.1HIGH