8.1
CVE-2017-12615
- EPSS 94.36%
- Veröffentlicht 19.09.2017 13:29:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
- Quelle security@apache.org
- Teams Watchlist Login
- Unerledigt Login
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Netapp ≫ 7-mode Transition Tool Version-
Netapp ≫ Oncommand Balance Version-
Netapp ≫ Oncommand Shift Version-
Redhat ≫ Jboss Enterprise Web Server Version2.0.0
Redhat ≫ Jboss Enterprise Web Server Version3.0.0
Redhat ≫ Enterprise Linux Desktop Version6.0
Redhat ≫ Enterprise Linux Desktop Version7.0
Redhat ≫ Enterprise Linux Eus Version7.4
Redhat ≫ Enterprise Linux Eus Version7.5
Redhat ≫ Enterprise Linux Eus Version7.6
Redhat ≫ Enterprise Linux Eus Version7.7
Redhat ≫ Enterprise Linux Eus Compute Node Version7.4
Redhat ≫ Enterprise Linux Eus Compute Node Version7.5
Redhat ≫ Enterprise Linux Eus Compute Node Version7.6
Redhat ≫ Enterprise Linux Eus Compute Node Version7.7
Redhat ≫ Enterprise Linux For Ibm Z Systems Version7.0_s390x
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.4_s390x
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.5_s390x
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.6_s390x
Redhat ≫ Enterprise Linux For Ibm Z Systems Eus Version7.7_s390x
Redhat ≫ Enterprise Linux For Power Big Endian Version7.0_ppc64
Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.4_ppc64
Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.5_ppc64
Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.6_ppc64
Redhat ≫ Enterprise Linux For Power Big Endian Eus Version7.7_ppc64
Redhat ≫ Enterprise Linux For Power Little Endian Version7.0_ppc64le
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.4_ppc64le
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.5_ppc64le
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.6_ppc64le
Redhat ≫ Enterprise Linux For Power Little Endian Eus Version7.7_ppc64le
Redhat ≫ Enterprise Linux For Scientific Computing Version7.0
Redhat ≫ Enterprise Linux Server Version6.0
Redhat ≫ Enterprise Linux Server Version7.0
Redhat ≫ Enterprise Linux Server Aus Version7.4
Redhat ≫ Enterprise Linux Server Aus Version7.6
Redhat ≫ Enterprise Linux Server Aus Version7.7
Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version7.4_ppc64le
Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version7.6_ppc64le
Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version7.7_ppc64le
Redhat ≫ Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Version9.2_ppc64le
Redhat ≫ Enterprise Linux Server Tus Version7.4
Redhat ≫ Enterprise Linux Server Tus Version7.6
Redhat ≫ Enterprise Linux Server Tus Version7.7
Redhat ≫ Enterprise Linux Workstation Version6.0
Redhat ≫ Enterprise Linux Workstation Version7.0
25.03.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
Apache Tomcat on Windows Remote Code Execution Vulnerability
SchwachstelleWhen running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.36% | 0.999 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.