{"id":"CVE-2017-12615","details":"When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.","aliases":["GHSA-pjfr-qf3p-3q25"],"modified":"2026-04-11T12:04:50.119083Z","published":"2017-09-19T13:29:00.190Z","related":["SUSE-SU-2017:3059-1"],"database_specific":{"unresolved_ranges":[{"cpe":"cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"2.0.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"3.0.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.5"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.5"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.0_s390x"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4_s390x"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.5_s390x"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6_s390x"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7_s390x"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4_ppc64"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.5_ppc64"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6_ppc64"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7_ppc64"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.5_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.0"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"9.2_ppc64le"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.4"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.6"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"7.7"}],"source":"CPE_FIELD"},{"cpe":"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*","extracted_events":[{"last_affected":"6.0"}],"source":"CPE_FIELD"}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100901"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039392"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3080"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3081"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3113"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3114"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0465"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0466"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20171018-0001/"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/42953/"},{"type":"ADVISORY","url":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"},{"type":"EVIDENCE","url":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"},{"type":"EVIDENCE","url":"https://github.com/breaktoprotect/CVE-2017-12615"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"cbf7381f46f2d8d902562c3cc3147d6d1414d6cb"},{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"f6de6eb5445d266506fcf89d3962a622478c2c6c"}],"database_specific":{"cpe":["cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"7.0.0"},{"last_affected":"7.0.79"},{"introduced":"0"},{"last_affected":"7.0"},{"last_affected":"7.0_ppc64"},{"last_affected":"7.0_ppc64le"}],"source":"CPE_FIELD"}}],"versions":["7.0.0","7.0.64","7.0.79"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-12615.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}