Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2017-12617

Опубликовано: 04 окт. 2017
Источник: debian
EPSS Критический

Описание

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
tomcat8not-affectedpackage
tomcat8.0not-affectedpackage
tomcat7not-affectedpackage

Примечания

  • https://svn.apache.org/r1809673 (8.5.x)

  • https://svn.apache.org/r1809675 (8.5.x)

  • https://svn.apache.org/r1809896 (8.5.x)

  • https://svn.apache.org/r1809921 (8.0.x)

  • https://svn.apache.org/r1809978 (7.0.x)

  • https://svn.apache.org/r1809992 (7.0.x)

  • https://svn.apache.org/r1810014 (7.0.x)

  • https://svn.apache.org/r1810026 (7.0.x)

  • https://bz.apache.org/bugzilla/show_bug.cgi?id=61542

EPSS

Процентиль: 100%
0.94394
Критический

Связанные уязвимости

CVSS3: 8.1
ubuntu
почти 8 лет назад

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS3: 8.1
redhat
почти 8 лет назад

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS3: 8.1
nvd
почти 8 лет назад

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS3: 8.1
github
около 3 лет назад

Unrestricted Upload of File with Dangerous Type Apache Tomcat

CVSS3: 8.1
fstec
почти 8 лет назад

Уязвимость сервера приложений Apache Tomcat, связанная с отсутствием ограничений на загрузку файлов, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 100%
0.94394
Критический