High severity8.1CISA KEVNVD Advisory· Published Sep 19, 2017· Updated Apr 21, 2026

CVE-2017-12615

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat.embed:tomcat-embed-coreMaven	>= 7.0.0, < 7.0.79	7.0.79

Affected products

Apache/Tomcat
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Range: >=7.0.0,<=7.0.79
NetApp/7 Mode Transition Tool
cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
NetApp/Oncommand Balance
cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*
NetApp/Oncommand Shift
cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server Update Services For Sap Solutions3 versions
cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*
Red Hat/Jboss Enterprise Web Server2 versions
cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
Red Hat/Jboss Enterprise Web Server Text Only Advisories
cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Desktop2 versions
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Eus4 versions
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Eus Compute Node4 versions
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Ibm Z Systems
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Ibm Z Systems Eus4 versions
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Power Big Endian
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Power Big Endian Eus4 versions
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Power Little Endian
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Power Little Endian Eus4 versions
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*
Red Hat/Enterprise Linux For Scientific Computing
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server2 versions
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server Aus3 versions
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions4 versions
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Server Tus3 versions
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
Red Hat/Enterprise Linux Workstation2 versions
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdMailing ListPatchWEB
breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.htmlnvdExploitWEB
www.securityfocus.com/bid/100901nvdBroken LinkThird Party AdvisoryVDB EntryWEB
www.securitytracker.com/id/1039392nvdBroken LinkThird Party AdvisoryVDB EntryWEB
access.redhat.com/errata/RHSA-2017:3080nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2017:3081nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2017:3113nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2017:3114nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0465nvdThird Party AdvisoryWEB
access.redhat.com/errata/RHSA-2018:0466nvdThird Party AdvisoryWEB
github.com/advisories/GHSA-pjfr-qf3p-3q25ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-12615ghsaADVISORY
security.netapp.com/advisory/ntap-20171018-0001/nvdThird Party Advisory
www.exploit-db.com/exploits/42953/nvdThird Party AdvisoryVDB Entry
www.synology.com/support/security/Synology_SA_17_54_TomcatnvdThird Party AdvisoryWEB
lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3EghsaWEB
lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3EghsaWEB
lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3EnvdIssue TrackingMailing ListWEB
lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3EghsaWEB
lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3EnvdMailing ListWEB
lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3EghsaWEB
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
security.netapp.com/advisory/ntap-20171018-0001ghsaWEB
www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
www.exploit-db.com/exploits/42953ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.075
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.060