When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html cve-icon cve-icon
http://www.securityfocus.com/bid/100901 cve-icon cve-icon
http://www.securitytracker.com/id/1039392 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3080 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3081 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3113 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2017:3114 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0465 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:0466 cve-icon cve-icon
https://github.com/breaktoprotect/CVE-2017-12615 cve-icon cve-icon
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2017-12615 cve-icon
https://security.netapp.com/advisory/ntap-20171018-0001/ cve-icon cve-icon
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2017-12615 cve-icon
https://www.exploit-db.com/exploits/42953/ cve-icon cve-icon
https://www.synology.com/support/security/Synology_SA_17_54_Tomcat cve-icon cve-icon
History

Thu, 06 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2022-03-25'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 14 Aug 2024 00:15:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2025-07-30T01:46:23.629Z

Reserved: 2017-08-07T00:00:00.000Z

Link: CVE-2017-12615

cve-icon Vulnrichment

Updated: 2024-08-05T18:43:56.420Z

cve-icon NVD

Status : Deferred

Published: 2017-09-19T13:29:00.190

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-12615

cve-icon Redhat

Severity : Important

Publid Date: 2017-09-19T00:00:00Z

Links: CVE-2017-12615 - Bugzilla

cve-icon OpenCVE Enrichment

No data.