When running with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server (CVE-2017-12617).

OSVersionArchitecturePackageVersionFilename
Mageia5noarchtomcat< 7.0.82-1tomcat-7.0.82-1.mga5
Mageia6noarchtomcat< 8.0.47-1tomcat-8.0.47-1.mga6

OS	Version	Architecture	Package	Version	Filename
Mageia	5	noarch	tomcat	< 7.0.82-1	tomcat-7.0.82-1.mga5
Mageia	6	noarch	tomcat	< 8.0.47-1	tomcat-8.0.47-1.mga6

References

bugs.mageia.org/show_bug.cgi?id=21933

tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82

tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.47

checkpoint_advisories 2

nessus 41

kaspersky 1

nuclei 2

openvas 17

cve 1

zdt 2

osv 3

ubuntucve 2

freebsd 1

cisa 1

github 1

attackerkb 1

prion 1

cvelist 1

debian 1

tomcat 4

packetstorm 2

nvd 1

exploitpack 2

veracode 1

f5 1

cisa_kev 1

debiancve 1

amazon 1

seebug 1

dsquare 1

exploitdb 3

fedora 3

redhatcve 1

thn 1

fortinet 1

ibm 9

redhat 12

suse 4

threatpost 1

oraclelinux 2

centos 2

atlassian 4

ubuntu 1

talosblog 1

avleonov 1

symantec 1

kitploit 2

photon 1

oracle 4

checkpoint_advisories

Apache Tomcat HTTP PUT Remote Code Execution (CVE-2017-12617)

2017-10-08 00:00:00

Apache Tomcat PUT Method Arbitrary File Upload Remote Code Execution (CVE-2017-12615; CVE-2017-12617)

2017-09-24 00:00:00

nessus

Apache Tomcat 9.0.0.M1 < 9.0.1

2017-10-06 00:00:00

Amazon Linux AMI : tomcat8 / tomcat80,tomcat7 (ALAS-2017-913)

2017-10-27 00:00:00

Apache Tomcat 8.0.0.RC1 < 8.0.47

2017-10-06 00:00:00

kaspersky

KLA11118 ACE vulnerability in Apache Tomcat

2017-09-21 00:00:00

nuclei

Apache Tomcat - Remote Code Execution

2023-06-15 08:45:00

Apache Tomcat - Remote Code Execution

2023-06-15 08:45:00

openvas

Apache Tomcat 'HTTP PUT Request' JSP Upload Code Execution Vulnerability

2017-09-25 00:00:00

Debian: Security Advisory (DLA-1166-1)

2023-03-08 00:00:00

Mageia: Security Advisory (MGASA-2017-0400)

2022-01-28 00:00:00

cve

CVE-2017-12617

2017-10-04 01:29:02

zdt

Apache Tomcat JSP Upload Bypass Remote Code Execution Exploit

2017-10-12 00:00:00

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - Remote Code Execution Exp

2017-10-09 00:00:00

osv

CVE-2017-12617

2017-10-04 01:29:02

Unrestricted Upload of File with Dangerous Type Apache Tomcat

2022-05-14 01:07:15

tomcat7 - security update

2017-11-07 00:00:00

ubuntucve

CVE-2017-12617

2017-10-03 00:00:00

CVE-2017-12616

2017-09-19 00:00:00

freebsd

tomcat -- Remote Code Execution

2017-10-04 00:00:00

cisa

Apache Releases Security Updates for Apache Tomcat

2017-10-03 00:00:00

github

Unrestricted Upload of File with Dangerous Type Apache Tomcat

2022-05-14 01:07:15

attackerkb

CVE-2017-12617

2017-10-04 00:00:00

prion

Code injection

2017-10-04 01:29:00

cvelist

CVE-2017-12617

2017-10-03 00:00:00

debian

[SECURITY] [DLA 1166-1] tomcat7 security update

2017-11-07 19:01:17

tomcat

Fixed in Apache Tomcat 9.0.1

2017-09-30 00:00:00

Fixed in Apache Tomcat 7.0.82

2017-10-04 00:00:00

Fixed in Apache Tomcat 8.0.47

2017-10-04 00:00:00

packetstorm

Apache Tomcat Upload Bypass / Remote Code Execution

2017-10-10 00:00:00

Tomcat JSP Upload Bypass Remote Code Execution

2017-10-12 00:00:00

nvd

CVE-2017-12617

2017-10-04 01:29:02

exploitpack

Apache Tomcat 9.0.1 (Beta) 8.5.23 8.0.47 7.0.8 - JSP Upload Bypass Remote Code Execution (2)

2017-10-09 00:00:00

Apache Tomcat 9.0.1 (Beta) 8.5.23 8.0.47 7.0.8 - JSP Upload Bypass Remote Code Execution (1)

2017-09-20 00:00:00

veracode

Remote Code Execution

2019-03-12 02:07:05

K53173544 : Apache Tomcat vulnerability CVE-2017-12617

2017-10-05 00:00:00

cisa_kev

Apache Tomcat Remote Code Execution Vulnerability

2022-03-25 00:00:00

debiancve

CVE-2017-12617

2017-10-04 01:29:00

amazon

Important: tomcat8, tomcat80, tomcat7

2017-10-26 16:29:00

seebug

Apache Tomcat Upload Bypass / Remote Code Execution(CVE-2017-12617)

2017-10-10 00:00:00

dsquare

Apache Tomcat for Windows HTTP PUT Method File Upload

2018-02-10 00:00:00

exploitdb

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)

2017-10-09 00:00:00

Tomcat - Remote Code Execution via JSP Upload Bypass (Metasploit)

2017-10-17 00:00:00

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)

2017-09-20 00:00:00

fedora

[SECURITY] Fedora 25 Update: tomcat-8.0.47-1.fc25

2017-11-11 15:47:39

[SECURITY] Fedora 27 Update: tomcat-8.0.47-1.fc27

2017-11-11 13:50:22

[SECURITY] Fedora 26 Update: tomcat-8.0.47-1.fc26

2017-11-10 15:18:40

redhatcve

CVE-2017-12617

2021-07-03 23:30:26

thn

Apache Tomcat Patches Important Remote Code Execution Flaw

2017-10-05 00:16:00

fortinet

Apache Tomcat vulnerabilities

2017-10-24 00:00:00

ibm

Security Bulletin: WebSphere Message Broker and IBM Integration Bus is affected by Open Source Apache Tomcat Vulnerabilities (CVE-2017-12617,CVE-2017-12615)

2020-03-23 20:41:52

Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Reporting Service shipped with Rational Reporting for Development Intelligence (CVE-2017-12615, CVE-2017-12616, CVE-2017-12617)

2018-06-17 05:23:49

Security Bulletin: Multiple security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service (CVE-2017-12615, CVE-2017-12616, CVE-2017-12617)

2018-06-17 05:23:49

redhat

(RHSA-2018:0270) Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update

2018-02-05 10:26:34

(RHSA-2018:0275) Important: jboss-ec2-eap security, bug fix, and enhancement update

2018-02-05 14:12:47

(RHSA-2018:0269) Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update

2018-02-05 10:26:12

suse

Security update for tomcat (important)

2017-11-22 15:08:02

Security update for tomcat (important)

2017-11-24 00:09:51

Security update for tomcat (important)

2017-12-13 21:10:17

threatpost

5 Steps to Securing Your Network Perimeter

2021-09-27 20:29:43

oraclelinux

tomcat security update

2017-10-30 00:00:00

tomcat6 security update

2017-10-29 00:00:00

centos

tomcat6 security update

2017-10-30 11:27:14

tomcat security update

2017-10-30 11:36:20

atlassian

Upgrade Tomcat to the version 8.5.29

2017-03-14 13:20:53

Upgrade Tomcat to the version 8.5.29

2017-03-14 13:20:53

Update bundled Apache Tomcat due to security vulnerabilities

2017-04-17 08:48:35

ubuntu

Tomcat vulnerabilities

2018-05-30 00:00:00

talosblog

DNS Hijacking Abuses Trust In Core Internet Service

2019-04-18 16:08:25

avleonov

Vulnerability Management at Tinkoff Fintech School

2019-03-04 10:38:31

symantec

SA156: Apache Tomcat Vulnerabilities Apr-Oct 2017

2017-11-07 08:00:00

kitploit

Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts

2019-05-12 13:09:00

Jok3R - Network And Web Pentest Framework

2019-01-23 12:25:00

photon

Critical Photon OS Security Update - PHSA-2017-0078

2017-10-19 00:00:00

oracle

Oracle Critical Patch Update - April 2018

2018-04-17 00:00:00

Oracle Critical Patch Update - January 2018

2018-01-16 00:00:00

Oracle Critical Patch Update Advisory - April 2019

2019-04-16 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.975 High

EPSS

Percentile

100.0%

JSON

Related for MGASA-2017-0400