CVE-2017-12617
critical-risk
Published 2017-10-04
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Do I need to act?
!
94.4% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (20)
References (89)
Third Party Advisory
http://www.securityfocus.com/bid/100954
Third Party Advisory
http://www.securitytracker.com/id/1039552
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3080
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3081
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0268
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0269
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0270
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0271
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0275
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939
and 69 more references
91
/ 100
critical-risk
Severity
24/34 · High
Exploitability
34/34 · Critical
Exposure
33/34 · Critical