Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-12617

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Published

2017-10-04T01:29:02.120

Last Modified

2025-04-20T01:37:25.860

Status

Deferred

Source

[email protected]

Severity

CVSSv3.1: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-434
  • Type: Secondary
    CWE-434
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apache tomcat < 7.0.82 Yes
Application apache tomcat < 8.0.47 Yes
Application apache tomcat < 8.5.23 Yes
Application apache tomcat < 9.0.1 Yes
Operating System canonical ubuntu_linux 12.04 Yes
Operating System canonical ubuntu_linux 16.04 Yes
Operating System canonical ubuntu_linux 17.10 Yes
Operating System canonical ubuntu_linux 18.04 Yes
Application oracle agile_plm 9.3.3 Yes
Application oracle agile_plm 9.3.4 Yes
Application oracle agile_plm 9.3.5 Yes
Application oracle agile_plm 9.3.6 Yes
Application oracle communications_instant_messaging_server 10.0.1 Yes
Application oracle endeca_information_discovery_integrator 3.1.0 Yes
Application oracle endeca_information_discovery_integrator 3.2.0 Yes
Application oracle enterprise_manager_for_mysql_database 12.1.0.4.0 Yes
Application oracle financial_services_analytical_applications_infrastructure ≤ 7.3.5.3.0 Yes
Application oracle financial_services_analytical_applications_infrastructure ≤ 8.0.9.0.0 Yes
Application oracle fmw_platform 12.2.1.2.0 Yes
Application oracle fmw_platform 12.2.1.3.0 Yes
Application oracle health_sciences_empirica_inspections 1.0.1.1 Yes
Application oracle hospitality_guest_access 4.2.0 Yes
Application oracle hospitality_guest_access 4.2.1 Yes
Application oracle instantis_enterprisetrack 17.1 Yes
Application oracle instantis_enterprisetrack 17.2 Yes
Application oracle management_pack 11.2.1.0.13 Yes
Application oracle micros_lucas 2.9.5 Yes
Application oracle micros_retail_xbri_loss_prevention 10.0.1 Yes
Application oracle micros_retail_xbri_loss_prevention 10.5.0 Yes
Application oracle micros_retail_xbri_loss_prevention 10.6.0 Yes
Application oracle micros_retail_xbri_loss_prevention 10.7.0 Yes
Application oracle micros_retail_xbri_loss_prevention 10.8.0 Yes
Application oracle micros_retail_xbri_loss_prevention 10.8.1 Yes
Application oracle mysql_enterprise_monitor ≤ 3.3.6.3293 Yes
Application oracle mysql_enterprise_monitor ≤ 3.4.4.4226 Yes
Application oracle mysql_enterprise_monitor ≤ 4.0.0.5135 Yes
Application oracle retail_advanced_inventory_planning 13.2 Yes
Application oracle retail_advanced_inventory_planning 13.4 Yes
Application oracle retail_advanced_inventory_planning 14.1 Yes
Application oracle retail_advanced_inventory_planning 15.0 Yes
Application oracle retail_back_office 14.0.4 Yes
Application oracle retail_back_office 14.1.3 Yes
Application oracle retail_central_office 14.0.4 Yes
Application oracle retail_central_office 14.1.3 Yes
Application oracle retail_convenience_and_fuel_pos_software 2.1.132 Yes
Application oracle retail_eftlink 1.1.124 Yes
Application oracle retail_eftlink 15.0.1 Yes
Application oracle retail_eftlink 16.0.2 Yes
Application oracle retail_insights 14.0 Yes
Application oracle retail_insights 14.1 Yes
Application oracle retail_insights 15.0 Yes
Application oracle retail_insights 16.0 Yes
Application oracle retail_invoice_matching 12.0 Yes
Application oracle retail_invoice_matching 13.0 Yes
Application oracle retail_invoice_matching 13.1 Yes
Application oracle retail_invoice_matching 13.2 Yes
Application oracle retail_invoice_matching 14.0 Yes
Application oracle retail_invoice_matching 14.1 Yes
Application oracle retail_invoice_matching 15.0 Yes
Application oracle retail_invoice_matching 16.0 Yes
Application oracle retail_order_broker 5.0 Yes
Application oracle retail_order_broker 5.1 Yes
Application oracle retail_order_broker 5.2 Yes
Application oracle retail_order_broker 15.0 Yes
Application oracle retail_order_broker 16.0 Yes
Application oracle retail_order_management_system 4.0 Yes
Application oracle retail_order_management_system 4.5 Yes
Application oracle retail_order_management_system 4.7 Yes
Application oracle retail_order_management_system 5.0 Yes
Application oracle retail_point-of-service 14.0.4 Yes
Application oracle retail_point-of-service 14.1.3 Yes
Application oracle retail_price_management 12.0 Yes
Application oracle retail_price_management 13.0 Yes
Application oracle retail_price_management 13.1 Yes
Application oracle retail_price_management 13.2 Yes
Application oracle retail_price_management 14.0 Yes
Application oracle retail_price_management 14.1 Yes
Application oracle retail_price_management 15.0 Yes
Application oracle retail_price_management 16.0 Yes
Application oracle retail_returns_management 2.3.8 Yes
Application oracle retail_returns_management 2.4.9 Yes
Application oracle retail_returns_management 14.0.4 Yes
Application oracle retail_returns_management 14.1.3 Yes
Application oracle retail_store_inventory_management 12.0.12 Yes
Application oracle retail_store_inventory_management 13.0.7 Yes
Application oracle retail_store_inventory_management 13.1.9 Yes
Application oracle retail_store_inventory_management 13.2.9 Yes
Application oracle retail_store_inventory_management 14.0.4 Yes
Application oracle retail_store_inventory_management 14.1.3 Yes
Application oracle retail_store_inventory_management 15.0.2 Yes
Application oracle retail_store_inventory_management 16.0.1 Yes
Application oracle retail_xstore_point_of_service 6.0.11 Yes
Application oracle retail_xstore_point_of_service 7.0.6 Yes
Application oracle retail_xstore_point_of_service 7.1.6 Yes
Application oracle retail_xstore_point_of_service 15.0.1 Yes
Application oracle transportation_management 6.3.1 Yes
Application oracle transportation_management 6.3.2 Yes
Application oracle transportation_management 6.3.3 Yes
Application oracle transportation_management 6.3.4 Yes
Application oracle transportation_management 6.3.5 Yes
Application oracle transportation_management 6.3.6 Yes
Application oracle transportation_management 6.3.7 Yes
Application oracle tuxedo_system_and_applications_monitor 12.1.3.0.0 Yes
Application oracle webcenter_sites 11.1.1.8.0 Yes
Application oracle workload_manager 12.2.0.1 Yes
Operating System debian debian_linux 7.0 Yes
Application netapp active_iq_unified_manager ≥ 7.3 Yes
Application netapp active_iq_unified_manager ≥ 9.5 Yes
Application netapp oncommand_balance - Yes
Application netapp oncommand_insight - Yes
Application netapp oncommand_shift - Yes
Application netapp oncommand_workflow_automation - Yes
Application netapp snapcenter - Yes
Operating System netapp element - Yes
Application redhat fuse 1.0 Yes
Application redhat jboss_enterprise_application_platform 6.0.0 Yes
Application redhat jboss_enterprise_application_platform 6.4.0 Yes
Application redhat jboss_enterprise_web_server 2.0.0 Yes
Application redhat jboss_enterprise_web_server 3.0.0 Yes
Application redhat jboss_enterprise_web_server_text-only_advisories - Yes
Operating System redhat enterprise_linux_desktop 6.0 Yes
Operating System redhat enterprise_linux_desktop 7.0 Yes
Operating System redhat enterprise_linux_eus 7.4 Yes
Operating System redhat enterprise_linux_eus 7.5 Yes
Operating System redhat enterprise_linux_eus 7.6 Yes
Operating System redhat enterprise_linux_eus 7.7 Yes
Operating System redhat enterprise_linux_eus_compute_node 7.4 Yes
Operating System redhat enterprise_linux_eus_compute_node 7.5 Yes
Operating System redhat enterprise_linux_eus_compute_node 7.6 Yes
Operating System redhat enterprise_linux_eus_compute_node 7.7 Yes
Operating System redhat enterprise_linux_for_ibm_z_systems 6.0_s390x Yes
Operating System redhat enterprise_linux_for_ibm_z_systems 7.0_s390x Yes
Operating System redhat enterprise_linux_for_ibm_z_systems_eus 7.4_s390x Yes
Operating System redhat enterprise_linux_for_ibm_z_systems_eus 7.5_s390x Yes
Operating System redhat enterprise_linux_for_ibm_z_systems_eus 7.6_s390x Yes
Operating System redhat enterprise_linux_for_ibm_z_systems_eus 7.7_s390x Yes
Operating System redhat enterprise_linux_for_power_big_endian 6.0_ppc64 Yes
Operating System redhat enterprise_linux_for_power_big_endian 7.0_ppc64 Yes
Operating System redhat enterprise_linux_for_power_big_endian_eus 7.4_ppc64 Yes
Operating System redhat enterprise_linux_for_power_big_endian_eus 7.5_ppc64 Yes
Operating System redhat enterprise_linux_for_power_big_endian_eus 7.6_ppc64 Yes
Operating System redhat enterprise_linux_for_power_big_endian_eus 7.7_ppc64 Yes
Operating System redhat enterprise_linux_for_power_little_endian 7.0 Yes
Operating System redhat enterprise_linux_for_power_little_endian_eus 7.4_ppc64le Yes
Operating System redhat enterprise_linux_for_power_little_endian_eus 7.5_ppc64le Yes
Operating System redhat enterprise_linux_for_power_little_endian_eus 7.6_ppc64le Yes
Operating System redhat enterprise_linux_for_power_little_endian_eus 7.7_ppc64le Yes
Operating System redhat enterprise_linux_server 6.0 Yes
Operating System redhat enterprise_linux_server 7.0 Yes
Operating System redhat enterprise_linux_server_aus 7.4 Yes
Operating System redhat enterprise_linux_server_aus 7.6 Yes
Operating System redhat enterprise_linux_server_aus 7.7 Yes
Operating System redhat enterprise_linux_server_tus 7.4 Yes
Operating System redhat enterprise_linux_server_tus 7.6 Yes
Operating System redhat enterprise_linux_server_tus 7.7 Yes
Operating System redhat enterprise_linux_workstation 6.0 Yes
Operating System redhat enterprise_linux_workstation 7.0 Yes
References