CVE-2017-12615 - When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the r

CVE-2017-12615

Summary

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

References

Vulnerable Configurations

cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.78:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.79:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:*:*:*:*:*:*:*

CVSS

Base:	6.8 (as of 16-07-2024 - 17:58)
Impact:
Exploitability:

CWE

CWE-434

CAPEC

Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:P/A:P

redhat via4

advisories

rhsa
id RHSA-2017:3080
rhsa
id RHSA-2017:3081
rhsa
id RHSA-2017:3113
rhsa
id RHSA-2017:3114
rhsa
id RHSA-2018:0465
rhsa
id RHSA-2018:0466

rpms

tomcat6-0:6.0.24-111.el6_9
tomcat6-admin-webapps-0:6.0.24-111.el6_9
tomcat6-docs-webapp-0:6.0.24-111.el6_9
tomcat6-el-2.1-api-0:6.0.24-111.el6_9
tomcat6-javadoc-0:6.0.24-111.el6_9
tomcat6-jsp-2.1-api-0:6.0.24-111.el6_9
tomcat6-lib-0:6.0.24-111.el6_9
tomcat6-servlet-2.5-api-0:6.0.24-111.el6_9
tomcat6-webapps-0:6.0.24-111.el6_9
tomcat-0:7.0.76-3.el7_4
tomcat-admin-webapps-0:7.0.76-3.el7_4
tomcat-docs-webapp-0:7.0.76-3.el7_4
tomcat-el-2.2-api-0:7.0.76-3.el7_4
tomcat-javadoc-0:7.0.76-3.el7_4
tomcat-jsp-2.2-api-0:7.0.76-3.el7_4
tomcat-jsvc-0:7.0.76-3.el7_4
tomcat-lib-0:7.0.76-3.el7_4
tomcat-servlet-3.0-api-0:7.0.76-3.el7_4
tomcat-webapps-0:7.0.76-3.el7_4
httpd-0:2.2.26-57.ep6.el6
httpd-debuginfo-0:2.2.26-57.ep6.el6
httpd-devel-0:2.2.26-57.ep6.el6
httpd-manual-0:2.2.26-57.ep6.el6
httpd-tools-0:2.2.26-57.ep6.el6
httpd22-0:2.2.26-58.ep6.el7
httpd22-debuginfo-0:2.2.26-58.ep6.el7
httpd22-devel-0:2.2.26-58.ep6.el7
httpd22-manual-0:2.2.26-58.ep6.el7
httpd22-tools-0:2.2.26-58.ep6.el7
jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6
jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7
jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6
jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7
jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6
jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7
jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6
jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7
jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6
jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7
jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6
jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7
mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el6
mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el7
mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el6
mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el7
mod_ldap-0:2.2.26-57.ep6.el6
mod_ldap22-0:2.2.26-58.ep6.el7
mod_ssl-1:2.2.26-57.ep6.el6
mod_ssl22-1:2.2.26-58.ep6.el7
tomcat6-0:6.0.41-19_patch_04.ep6.el6
tomcat6-0:6.0.41-19_patch_04.ep6.el7
tomcat6-admin-webapps-0:6.0.41-19_patch_04.ep6.el6
tomcat6-admin-webapps-0:6.0.41-19_patch_04.ep6.el7
tomcat6-docs-webapp-0:6.0.41-19_patch_04.ep6.el6
tomcat6-docs-webapp-0:6.0.41-19_patch_04.ep6.el7
tomcat6-el-2.1-api-0:6.0.41-19_patch_04.ep6.el6
tomcat6-el-2.1-api-0:6.0.41-19_patch_04.ep6.el7
tomcat6-javadoc-0:6.0.41-19_patch_04.ep6.el6
tomcat6-javadoc-0:6.0.41-19_patch_04.ep6.el7
tomcat6-jsp-2.1-api-0:6.0.41-19_patch_04.ep6.el6
tomcat6-jsp-2.1-api-0:6.0.41-19_patch_04.ep6.el7
tomcat6-lib-0:6.0.41-19_patch_04.ep6.el6
tomcat6-lib-0:6.0.41-19_patch_04.ep6.el7
tomcat6-log4j-0:6.0.41-19_patch_04.ep6.el6
tomcat6-log4j-0:6.0.41-19_patch_04.ep6.el7
tomcat6-maven-devel-0:6.0.41-19_patch_04.ep6.el6
tomcat6-maven-devel-0:6.0.41-19_patch_04.ep6.el7
tomcat6-servlet-2.5-api-0:6.0.41-19_patch_04.ep6.el6
tomcat6-servlet-2.5-api-0:6.0.41-19_patch_04.ep6.el7
tomcat6-webapps-0:6.0.41-19_patch_04.ep6.el6
tomcat6-webapps-0:6.0.41-19_patch_04.ep6.el7
tomcat7-0:7.0.54-28_patch_05.ep6.el6
tomcat7-0:7.0.54-28_patch_05.ep6.el7
tomcat7-admin-webapps-0:7.0.54-28_patch_05.ep6.el6
tomcat7-admin-webapps-0:7.0.54-28_patch_05.ep6.el7
tomcat7-docs-webapp-0:7.0.54-28_patch_05.ep6.el6
tomcat7-docs-webapp-0:7.0.54-28_patch_05.ep6.el7
tomcat7-el-2.2-api-0:7.0.54-28_patch_05.ep6.el6
tomcat7-el-2.2-api-0:7.0.54-28_patch_05.ep6.el7
tomcat7-javadoc-0:7.0.54-28_patch_05.ep6.el6
tomcat7-javadoc-0:7.0.54-28_patch_05.ep6.el7
tomcat7-jsp-2.2-api-0:7.0.54-28_patch_05.ep6.el6
tomcat7-jsp-2.2-api-0:7.0.54-28_patch_05.ep6.el7
tomcat7-lib-0:7.0.54-28_patch_05.ep6.el6
tomcat7-lib-0:7.0.54-28_patch_05.ep6.el7
tomcat7-log4j-0:7.0.54-28_patch_05.ep6.el6
tomcat7-log4j-0:7.0.54-28_patch_05.ep6.el7
tomcat7-maven-devel-0:7.0.54-28_patch_05.ep6.el6
tomcat7-maven-devel-0:7.0.54-28_patch_05.ep6.el7
tomcat7-servlet-3.0-api-0:7.0.54-28_patch_05.ep6.el6
tomcat7-servlet-3.0-api-0:7.0.54-28_patch_05.ep6.el7
tomcat7-webapps-0:7.0.54-28_patch_05.ep6.el6
tomcat7-webapps-0:7.0.54-28_patch_05.ep6.el7
mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el6
mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el7
mod_cluster-tomcat7-0:1.3.8-2.Final_redhat_2.1.ep7.el6
mod_cluster-tomcat7-0:1.3.8-2.Final_redhat_2.1.ep7.el7
mod_cluster-tomcat8-0:1.3.8-2.Final_redhat_2.1.ep7.el6
mod_cluster-tomcat8-0:1.3.8-2.Final_redhat_2.1.ep7.el7
tomcat-native-0:1.2.8-11.redhat_11.ep7.el6
tomcat-native-0:1.2.8-11.redhat_11.ep7.el7
tomcat-native-debuginfo-0:1.2.8-11.redhat_11.ep7.el6
tomcat-native-debuginfo-0:1.2.8-11.redhat_11.ep7.el7
tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el6
tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el7
tomcat-vault-tomcat7-0:1.1.6-1.Final_redhat_1.1.ep7.el6
tomcat-vault-tomcat7-0:1.1.6-1.Final_redhat_1.1.ep7.el7
tomcat-vault-tomcat8-0:1.1.6-1.Final_redhat_1.1.ep7.el6
tomcat-vault-tomcat8-0:1.1.6-1.Final_redhat_1.1.ep7.el7
tomcat7-0:7.0.70-25.ep7.el6
tomcat7-0:7.0.70-25.ep7.el7
tomcat7-admin-webapps-0:7.0.70-25.ep7.el6
tomcat7-admin-webapps-0:7.0.70-25.ep7.el7
tomcat7-docs-webapp-0:7.0.70-25.ep7.el6
tomcat7-docs-webapp-0:7.0.70-25.ep7.el7
tomcat7-el-2.2-api-0:7.0.70-25.ep7.el6
tomcat7-el-2.2-api-0:7.0.70-25.ep7.el7
tomcat7-javadoc-0:7.0.70-25.ep7.el6
tomcat7-javadoc-0:7.0.70-25.ep7.el7
tomcat7-jsp-2.2-api-0:7.0.70-25.ep7.el6
tomcat7-jsp-2.2-api-0:7.0.70-25.ep7.el7
tomcat7-jsvc-0:7.0.70-25.ep7.el6
tomcat7-jsvc-0:7.0.70-25.ep7.el7
tomcat7-lib-0:7.0.70-25.ep7.el6
tomcat7-lib-0:7.0.70-25.ep7.el7
tomcat7-log4j-0:7.0.70-25.ep7.el6
tomcat7-log4j-0:7.0.70-25.ep7.el7
tomcat7-selinux-0:7.0.70-25.ep7.el6
tomcat7-selinux-0:7.0.70-25.ep7.el7
tomcat7-servlet-3.0-api-0:7.0.70-25.ep7.el6
tomcat7-servlet-3.0-api-0:7.0.70-25.ep7.el7
tomcat7-webapps-0:7.0.70-25.ep7.el6
tomcat7-webapps-0:7.0.70-25.ep7.el7
tomcat8-0:8.0.36-29.ep7.el6
tomcat8-0:8.0.36-29.ep7.el7
tomcat8-admin-webapps-0:8.0.36-29.ep7.el6
tomcat8-admin-webapps-0:8.0.36-29.ep7.el7
tomcat8-docs-webapp-0:8.0.36-29.ep7.el6
tomcat8-docs-webapp-0:8.0.36-29.ep7.el7
tomcat8-el-2.2-api-0:8.0.36-29.ep7.el6
tomcat8-el-2.2-api-0:8.0.36-29.ep7.el7
tomcat8-javadoc-0:8.0.36-29.ep7.el6
tomcat8-javadoc-0:8.0.36-29.ep7.el7
tomcat8-jsp-2.3-api-0:8.0.36-29.ep7.el6
tomcat8-jsp-2.3-api-0:8.0.36-29.ep7.el7
tomcat8-jsvc-0:8.0.36-29.ep7.el6
tomcat8-jsvc-0:8.0.36-29.ep7.el7
tomcat8-lib-0:8.0.36-29.ep7.el6
tomcat8-lib-0:8.0.36-29.ep7.el7
tomcat8-log4j-0:8.0.36-29.ep7.el6
tomcat8-log4j-0:8.0.36-29.ep7.el7
tomcat8-selinux-0:8.0.36-29.ep7.el6
tomcat8-selinux-0:8.0.36-29.ep7.el7
tomcat8-servlet-3.1-api-0:8.0.36-29.ep7.el6
tomcat8-servlet-3.1-api-0:8.0.36-29.ep7.el7
tomcat8-webapps-0:8.0.36-29.ep7.el6
tomcat8-webapps-0:8.0.36-29.ep7.el7

refmap via4

bid	100901
confirm	https://security.netapp.com/advisory/ntap-20171018-0001/ https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
exploit-db	42953
misc	http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html https://github.com/breaktoprotect/CVE-2017-12615
mlist	[announce] 20170919 [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload [announce] 20200131 Apache Software Foundation Security Report: 2019 [tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ [tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ [tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ [tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/
sectrack	1039392

Last major update

16-07-2024 - 17:58

Published

19-09-2017 - 13:29

Last modified

16-07-2024 - 17:58