⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..

CVE-2017-12617

CWE-434Unrestricted File UploadCWE-20Improper Input Validation24 documents13 sources
Severity
8.1HIGH
EPSS
94.4%
top 0.04%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
52
Apache TomcatOracle Financial Services Analytical Applications InfrastructureOracle Mysql Enterprise Monitor+49 more
Timeline
PublishedOct 4
KEV addedMar 25
KEV dueApr 15
Latest updateFeb 21
CISA Required Action: Apply updates per vendor instructions.

Description

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages45 packages

NVDapache/tomcat7.0.07.0.82+3
Mavenorg.apache.tomcat:tomcat-catalina9.0.0.M19.0.1+3
Mavenorg.apache.tomcat.embed:tomcat-embed-core9.0.0.M19.0.1+3

Also affects: Debian Linux 7.0, Ubuntu Linux 12.04, 16.04, 17.10, 18.04, Enterprise Linux 7.4, 7.5, 7.6, 7.7, 6.0, 7.0, 6.0_ppc64, 7.0_ppc64, 7.4_ppc64, 7.5_ppc64, 7.6_ppc64, 7.7_ppc64

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

6
OSV
Unrestricted Upload of File with Dangerous Type Apache Tomcat2022-05-14
GHSA
Unrestricted Upload of File with Dangerous Type Apache Tomcat2022-05-14
OSV
tomcat7, tomcat8 vulnerabilities2018-05-30
CVEList
CVE-2017-12617: When running Apache Tomcat versions 92017-10-03
OSV
CVE-2017-12617: When running Apache Tomcat versions 92017-10-03

💥Exploits & PoCs

3
Exploit-DB
Tomcat - Remote Code Execution via JSP Upload Bypass (Metasploit)2017-10-17
Exploit-DB
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)2017-10-09
Nuclei
Apache Tomcat - Remote Code Execution

🔍Detection Rules

6
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05

📋Vendor Advisories

5
Ubuntu
tomcat7 vulnerabilities2025-02-21
CISA
Apache Tomcat Remote Code Execution Vulnerability2022-03-25
Ubuntu
Tomcat vulnerabilities2018-05-30
Red Hat
tomcat: Remote Code Execution bypass for CVE-2017-126152017-09-21
Apache
Apache tomcat: CVE-2017-12617

💬Community

3
Bugzilla
CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 [fedora-all]2017-10-02
Bugzilla
CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 [epel-6]2017-10-02
Bugzilla
CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-126152017-09-21