Back to search
CVE-2017-12617
Published: Oct 3, 2017
Modified: Oct 21, 2025
PUBLISHED
Description
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache Tomcat | affected 9.0.0.M1 to 9.0.0affected 8.5.0 to 8.5.22affected 8.0.0.RC1 to 8.0.46affected 7.0.0 to 7.0.81 |
References
RHSA-2017:3113
vendor-advisory
x_refsource_REDHAT
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
x_refsource_CONFIRM
RHSA-2017:3080
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0269
vendor-advisory
x_refsource_REDHAT
42966
exploit
x_refsource_EXPLOIT-DB
RHSA-2018:0270
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0271
vendor-advisory
x_refsource_REDHAT
[debian-lts-announce] 20171107 [SECURITY] [DLA 1166-1] tomcat7 security update
mailing-list
x_refsource_MLIST
RHSA-2018:2939
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0465
vendor-advisory
x_refsource_REDHAT
USN-3665-1
vendor-advisory
x_refsource_UBUNTU
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
x_refsource_CONFIRM
RHSA-2018:0268
vendor-advisory
x_refsource_REDHAT
RHSA-2017:3114
vendor-advisory
x_refsource_REDHAT
43008
exploit
x_refsource_EXPLOIT-DB
1039552
vdb-entry
x_refsource_SECTRACK
100954
vdb-entry
x_refsource_BID
RHSA-2018:0275
vendor-advisory
x_refsource_REDHAT
RHSA-2018:0466
vendor-advisory
x_refsource_REDHAT
[announce] 20171003 [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload
mailing-list
x_refsource_MLIST
https://security.netapp.com/advisory/ntap-20171018-0002/
x_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20180117-0002/
x_refsource_CONFIRM
RHSA-2017:3081
vendor-advisory
x_refsource_REDHAT
[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
https://support.f5.com/csp/article/K53173544
x_refsource_CONFIRM
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now