{"id":"CVE-2017-12615","details":"When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.","aliases":["GHSA-pjfr-qf3p-3q25"],"modified":"2026-04-02T00:01:34.531054Z","published":"2017-09-19T13:29:00.190Z","related":["SUSE-SU-2017:3059-1"],"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100901"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3080"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3114"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0466"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20171018-0001/"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039392"},{"type":"ADVISORY","url":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3113"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3081"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0465"},{"type":"ADVISORY","url":"https://www.exploit-db.com/exploits/42953/"},{"type":"REPORT","url":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"type":"FIX","url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"type":"ARTICLE","url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"},{"type":"EVIDENCE","url":"https://github.com/breaktoprotect/CVE-2017-12615"},{"type":"EVIDENCE","url":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tomcat","events":[{"introduced":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"last_affected":"cbf7381f46f2d8d902562c3cc3147d6d1414d6cb"},{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"introduced":"0"},{"last_affected":"f6de6eb5445d266506fcf89d3962a622478c2c6c"},{"introduced":"0"},{"last_affected":"f6de6eb5445d266506fcf89d3962a622478c2c6c"},{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"},{"introduced":"0"},{"last_affected":"e498667bd7811e846771a852b16ce9f1e524b81b"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"last_affected":"7.0.79"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"7.0_ppc64"},{"introduced":"0"},{"last_affected":"7.0_ppc64le"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"7.0"},{"introduced":"0"},{"last_affected":"7.0"}]}}],"versions":["10.0.0","10.0.0-M1","10.0.0-M10","10.0.0-M2","10.0.0-M3","10.0.0-M4","10.0.0-M5","10.0.0-M6","10.0.0-M7","10.0.0-M8","10.0.0-M9","10.0.0.0-M1","10.0.1","10.0.10","10.0.11","10.0.12","10.0.13","10.0.14","10.0.15","10.0.16","10.0.17","10.0.18","10.0.19","10.0.2","10.0.20","10.0.21","10.0.22","10.0.23","10.0.24","10.0.25","10.0.26","10.0.27","10.0.3","10.0.4","10.0.5","10.0.6","10.0.7","10.0.8","10.0.9","10.1.0","10.1.0-M1","10.1.0-M10","10.1.0-M11","10.1.0-M12","10.1.0-M13","10.1.0-M14","10.1.0-M15","10.1.0-M16","10.1.0-M17","10.1.0-M18","10.1.0-M19","10.1.0-M2","10.1.0-M20","10.1.0-M3","10.1.0-M4","10.1.0-M5","10.1.0-M6","10.1.0-M7","10.1.0-M8","10.1.0-M9","10.1.1","10.1.10","10.1.11","10.1.12","10.1.13","10.1.14","10.1.15","10.1.16","10.1.17","10.1.18","10.1.19","10.1.2","10.1.20","10.1.22","10.1.23","10.1.24","10.1.25","10.1.26","10.1.27","10.1.28","10.1.29","10.1.3","10.1.30","10.1.31","10.1.32","10.1.33","10.1.34","10.1.35","10.1.36","10.1.37","10.1.38","10.1.39","10.1.4","10.1.40","10.1.41","10.1.42","10.1.43","10.1.44","10.1.45","10.1.46","10.1.47","10.1.48","10.1.49","10.1.5","10.1.50","10.1.51","10.1.52","10.1.6","10.1.7","10.1.8","10.1.9","11.0.0","11.0.0-M1","11.0.0-M10","11.0.0-M11","11.0.0-M12","11.0.0-M13","11.0.0-M14","11.0.0-M15","11.0.0-M16","11.0.0-M17","11.0.0-M18","11.0.0-M19","11.0.0-M2","11.0.0-M20","11.0.0-M21","11.0.0-M22","11.0.0-M23","11.0.0-M24","11.0.0-M25","11.0.0-M26","11.0.0-M3","11.0.0-M4","11.0.0-M5","11.0.0-M6","11.0.0-M7","11.0.0-M8","11.0.0-M9","11.0.1","11.0.10","11.0.11","11.0.12","11.0.13","11.0.14","11.0.15","11.0.16","11.0.17","11.0.18","11.0.2","11.0.3","11.0.4","11.0.5","11.0.6","11.0.7","11.0.8","11.0.9","7.0.0","7.0.0-RC1","7.0.0-RC2","7.0.0-RC3","7.0.0-RC4","7.0.1","7.0.10","7.0.100","7.0.101","7.0.102","7.0.103","7.0.104","7.0.105","7.0.106","7.0.107","7.0.108","7.0.109","7.0.11","7.0.12","7.0.13","7.0.14","7.0.15","7.0.16","7.0.17","7.0.18","7.0.19","7.0.2","7.0.20","7.0.21","7.0.22","7.0.23","7.0.24","7.0.25","7.0.26","7.0.27","7.0.28","7.0.29","7.0.3","7.0.30","7.0.31","7.0.32","7.0.33","7.0.34","7.0.35","7.0.36","7.0.37","7.0.38","7.0.39","7.0.4","7.0.40","7.0.41","7.0.42","7.0.43","7.0.44","7.0.45","7.0.46","7.0.47","7.0.48","7.0.49","7.0.5","7.0.50","7.0.51","7.0.52","7.0.53","7.0.54","7.0.55","7.0.56","7.0.57","7.0.58","7.0.59","7.0.6","7.0.60","7.0.61","7.0.62","7.0.63","7.0.64","7.0.65","7.0.66","7.0.67","7.0.68","7.0.69","7.0.7","7.0.70","7.0.71","7.0.72","7.0.73","7.0.74","7.0.75","7.0.76","7.0.77","7.0.78","7.0.79","7.0.8","7.0.80","7.0.81","7.0.82","7.0.83","7.0.84","7.0.85","7.0.86","7.0.87","7.0.88","7.0.89","7.0.9","7.0.90","7.0.91","7.0.92","7.0.93","7.0.94","7.0.95","7.0.96","7.0.97","7.0.98","7.0.99","8.5.0","8.5.1","8.5.10","8.5.100","8.5.11","8.5.12","8.5.13","8.5.14","8.5.15","8.5.16","8.5.17","8.5.18","8.5.19","8.5.2","8.5.20","8.5.21","8.5.22","8.5.23","8.5.24","8.5.25","8.5.26","8.5.27","8.5.28","8.5.29","8.5.3","8.5.30","8.5.31","8.5.32","8.5.33","8.5.34","8.5.35","8.5.36","8.5.37","8.5.38","8.5.39","8.5.4","8.5.40","8.5.41","8.5.42","8.5.43","8.5.44","8.5.45","8.5.46","8.5.47","8.5.48","8.5.49","8.5.5","8.5.50","8.5.51","8.5.52","8.5.53","8.5.54","8.5.55","8.5.56","8.5.57","8.5.58","8.5.59","8.5.6","8.5.60","8.5.61","8.5.62","8.5.63","8.5.64","8.5.65","8.5.66","8.5.67","8.5.68","8.5.69","8.5.7","8.5.70","8.5.71","8.5.72","8.5.73","8.5.74","8.5.75","8.5.76","8.5.77","8.5.78","8.5.79","8.5.8","8.5.80","8.5.81","8.5.82","8.5.83","8.5.84","8.5.85","8.5.86","8.5.87","8.5.88","8.5.89","8.5.9","8.5.90","8.5.91","8.5.92","8.5.93","8.5.94","8.5.95","8.5.96","8.5.97","8.5.98","8.5.99","9.0.0","9.0.0-M1","9.0.0-M10","9.0.0-M11","9.0.0-M12","9.0.0-M13","9.0.0-M14","9.0.0-M15","9.0.0-M16","9.0.0-M17","9.0.0-M18","9.0.0-M19","9.0.0-M2","9.0.0-M20","9.0.0-M21","9.0.0-M22","9.0.0-M23","9.0.0-M24","9.0.0-M25","9.0.0-M26","9.0.0-M27","9.0.0-M3","9.0.0-M4","9.0.0-M5","9.0.0-M6","9.0.0-M7","9.0.0-M8","9.0.0-M9","9.0.1","9.0.10","9.0.100","9.0.101","9.0.102","9.0.103","9.0.104","9.0.105","9.0.106","9.0.107","9.0.108","9.0.109","9.0.11","9.0.110","9.0.111","9.0.112","9.0.113","9.0.114","9.0.115","9.0.12","9.0.13","9.0.14","9.0.15","9.0.16","9.0.17","9.0.18","9.0.19","9.0.2","9.0.20","9.0.21","9.0.22","9.0.23","9.0.24","9.0.25","9.0.26","9.0.27","9.0.28","9.0.29","9.0.3","9.0.30","9.0.31","9.0.32","9.0.33","9.0.34","9.0.35","9.0.36","9.0.37","9.0.38","9.0.39","9.0.4","9.0.40","9.0.41","9.0.42","9.0.43","9.0.44","9.0.45","9.0.46","9.0.47","9.0.48","9.0.49","9.0.5","9.0.50","9.0.51","9.0.52","9.0.53","9.0.54","9.0.55","9.0.56","9.0.57","9.0.58","9.0.59","9.0.6","9.0.60","9.0.61","9.0.62","9.0.63","9.0.64","9.0.65","9.0.66","9.0.67","9.0.68","9.0.69","9.0.7","9.0.70","9.0.71","9.0.72","9.0.73","9.0.74","9.0.75","9.0.76","9.0.77","9.0.78","9.0.79","9.0.8","9.0.80","9.0.81","9.0.82","9.0.83","9.0.84","9.0.85","9.0.86","9.0.87","9.0.88","9.0.89","9.0.9","9.0.90","9.0.91","9.0.92","9.0.93","9.0.94","9.0.95","9.0.96","9.0.97","9.0.98","9.0.99"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"2.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"3.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7_s390x"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4_ppc64"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5_ppc64"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6_ppc64"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7_ppc64"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"7.5_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"9.2_ppc64le"}]},{"events":[{"introduced":"0"},{"last_affected":"7.4"}]},{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"7.7"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12615.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}