CVE-2017-12615CVE-2017-12615

Affected configuration(s):

cpe:/a:apache:tomcat:7.0
cpe:/a:apache:tomcat:7.0.0
cpe:/a:apache:tomcat:7.0.0:beta
cpe:/a:apache:tomcat:7.0.1
cpe:/a:apache:tomcat:7.0.2
cpe:/a:apache:tomcat:7.0.2:beta
cpe:/a:apache:tomcat:7.0.3
cpe:/a:apache:tomcat:7.0.4
cpe:/a:apache:tomcat:7.0.4:beta
cpe:/a:apache:tomcat:7.0.5
cpe:/a:apache:tomcat:7.0.5:beta
cpe:/a:apache:tomcat:7.0.6
cpe:/a:apache:tomcat:7.0.7
cpe:/a:apache:tomcat:7.0.8
cpe:/a:apache:tomcat:7.0.9
cpe:/a:apache:tomcat:7.0.10
cpe:/a:apache:tomcat:7.0.11
cpe:/a:apache:tomcat:7.0.12
cpe:/a:apache:tomcat:7.0.13
cpe:/a:apache:tomcat:7.0.14
cpe:/a:apache:tomcat:7.0.15
cpe:/a:apache:tomcat:7.0.16
cpe:/a:apache:tomcat:7.0.17
cpe:/a:apache:tomcat:7.0.18
cpe:/a:apache:tomcat:7.0.19
cpe:/a:apache:tomcat:7.0.20
cpe:/a:apache:tomcat:7.0.21
cpe:/a:apache:tomcat:7.0.22
cpe:/a:apache:tomcat:7.0.23
cpe:/a:apache:tomcat:7.0.24
cpe:/a:apache:tomcat:7.0.25
cpe:/a:apache:tomcat:7.0.26
cpe:/a:apache:tomcat:7.0.27
cpe:/a:apache:tomcat:7.0.28
cpe:/a:apache:tomcat:7.0.29
cpe:/a:apache:tomcat:7.0.30
cpe:/a:apache:tomcat:7.0.31
cpe:/a:apache:tomcat:7.0.32
cpe:/a:apache:tomcat:7.0.33
cpe:/a:apache:tomcat:7.0.34
cpe:/a:apache:tomcat:7.0.35
cpe:/a:apache:tomcat:7.0.36
cpe:/a:apache:tomcat:7.0.37
cpe:/a:apache:tomcat:7.0.38
cpe:/a:apache:tomcat:7.0.39
cpe:/a:apache:tomcat:7.0.40
cpe:/a:apache:tomcat:7.0.41
cpe:/a:apache:tomcat:7.0.42
cpe:/a:apache:tomcat:7.0.43
cpe:/a:apache:tomcat:7.0.44
cpe:/a:apache:tomcat:7.0.45
cpe:/a:apache:tomcat:7.0.46
cpe:/a:apache:tomcat:7.0.47
cpe:/a:apache:tomcat:7.0.48
cpe:/a:apache:tomcat:7.0.49
cpe:/a:apache:tomcat:7.0.50
cpe:/a:apache:tomcat:7.0.51
cpe:/a:apache:tomcat:7.0.54
cpe:/a:apache:tomcat:7.0.55
cpe:/a:apache:tomcat:7.0.56
cpe:/a:apache:tomcat:7.0.57
cpe:/a:apache:tomcat:7.0.58
cpe:/a:apache:tomcat:7.0.59
cpe:/a:apache:tomcat:7.0.60
cpe:/a:apache:tomcat:7.0.61
cpe:/a:apache:tomcat:7.0.62
cpe:/a:apache:tomcat:7.0.63
cpe:/a:apache:tomcat:7.0.64
cpe:/a:apache:tomcat:7.0.65
cpe:/a:apache:tomcat:7.0.66
cpe:/a:apache:tomcat:7.0.67
cpe:/a:apache:tomcat:7.0.68
cpe:/a:apache:tomcat:7.0.69
cpe:/a:apache:tomcat:7.0.70
cpe:/a:apache:tomcat:7.0.71
cpe:/a:apache:tomcat:7.0.72
cpe:/a:apache:tomcat:7.0.73
cpe:/a:apache:tomcat:7.0.74
cpe:/a:apache:tomcat:7.0.75
cpe:/a:apache:tomcat:7.0.76
cpe:/a:apache:tomcat:7.0.77
cpe:/a:apache:tomcat:7.0.79

Date published: 2017-09-19T09:29:00.190-04:00

Date last modified: 2017-12-01T21:29:05.857-05:00

CVSS Score: 6.8

Principal attack vector: NETWORK

Complexity:  MEDIUM

Reference URL: http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html

Summary: When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CategoriesUncategorised

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.