CVE-2017-12615
HIGH
8,1
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high
MEDIUM
6,8
Source: [email protected]
Access Vector: network
Access Complexity: medium
Authentication: none
Confidentiality: partial
Integrity: partial
Availability: partial
Description
AI Translation Available
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
EPSS (Exploit Prediction Scoring System)
Trend Analysis
EPSS (Exploit Prediction Scoring System)
Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.
EPSS Score
0,9428
Percentile
1,0th
Updated
EPSS Score Trend (Last 91 Days)
434
Unrestricted Upload of File with Dangerous Type
DraftCommon Consequences
Security Scopes Affected:
Integrity
Confidentiality
Availability
Potential Impacts:
Execute Unauthorized Code Or Commands
Applicable Platforms
Languages:
ASP.NET, Not Language-Specific, PHP
Technologies:
Web Server
Exploit
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 …
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)
View Exploit Code →
Application
Jboss Enterprise Web Server Text-Only Advisories by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Tomcat by Apache
Version Range Affected
From
7.0.0
(inclusive)
To
7.0.79
(inclusive)
CPE Identifier
View Detailed Analysis
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Ibm Z Systems Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server Tus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Ibm Z Systems Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Ibm Z Systems by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Desktop by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Scientific Computing by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Big Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Little Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Oncommand Shift by Netapp
CPE Identifier
View Detailed Analysis
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Little Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Big Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus Compute Node by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus Compute Node by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Jboss Enterprise Web Server by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus Compute Node by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server Aus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Little Endian by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Oncommand Balance by Netapp
CPE Identifier
View Detailed Analysis
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
7-Mode Transition Tool by Netapp
CPE Identifier
View Detailed Analysis
cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Big Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Workstation by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Big Endian by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Jboss Enterprise Web Server by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus Compute Node by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Big Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server Aus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server Tus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Ibm Z Systems Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Enterprise Linux Server Update Services For Sap Solutions by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server Tus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Server Aus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Enterprise Linux Server Update Services For Sap Solutions by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Workstation by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Little Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application
Enterprise Linux Server Update Services For Sap Solutions by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Desktop by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Power Little Endian Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Operating System
Enterprise Linux For Ibm Z Systems Eus by Redhat
CPE Identifier
View Detailed Analysis
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017…
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-…
https://access.redhat.com/errata/RHSA-2017:3080
https://access.redhat.com/errata/RHSA-2017:3081
https://access.redhat.com/errata/RHSA-2017:3113
https://access.redhat.com/errata/RHSA-2017:3114
https://access.redhat.com/errata/RHSA-2018:0465
https://access.redhat.com/errata/RHSA-2018:0466
https://github.com/breaktoprotect/CVE-2017-12615
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3…
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f…
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d8…
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7dac…
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc…
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855…
https://security.netapp.com/advisory/ntap-20171018-0001/
https://www.exploit-db.com/exploits/42953/
https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
http://www.securityfocus.com/bid/100901
http://www.securitytracker.com/id/1039392
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-…
https://access.redhat.com/errata/RHSA-2017:3080
https://access.redhat.com/errata/RHSA-2017:3081
https://access.redhat.com/errata/RHSA-2017:3113
https://access.redhat.com/errata/RHSA-2017:3114
https://access.redhat.com/errata/RHSA-2018:0465
https://access.redhat.com/errata/RHSA-2018:0466
https://github.com/breaktoprotect/CVE-2017-12615
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3…
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f…
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d8…
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7dac…
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc…
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855…
https://security.netapp.com/advisory/ntap-20171018-0001/
https://www.exploit-db.com/exploits/42953/
https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
http://www.securityfocus.com/bid/100901
http://www.securitytracker.com/id/1039392