{"api_version":"1","generated_at":"2026-04-22T19:48:10+00:00","cve":"CVE-2017-12615","urls":{"html":"https://cve.report/CVE-2017-12615","api":"https://cve.report/api/cve/CVE-2017-12615.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-12615","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-12615"},"summary":{"title":"CVE-2017-12615","description":"When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.","state":"PUBLISHED","assigner":"apache","published_at":"2017-09-19 13:29:00","updated_at":"2026-04-21 17:04:04"},"problem_types":["CWE-434","Remote Code Execution","CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"DECLARED","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"version":"3.1","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","score":"8.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"2.0","source":"nvd@nist.gov","type":"Primary","score":"6.8","severity":"","vector":"AV:N/AC:M/Au:N/C:P/I:P/A:P","data":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"}}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2017:3114","name":"https://access.redhat.com/errata/RHSA-2017:3114","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/breaktoprotect/CVE-2017-12615","name":"https://github.com/breaktoprotect/CVE-2017-12615","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"],"title":"GitHub - breaktoprotect/CVE-2017-12615: POC Exploit for Apache Tomcat 7.0.x CVE-2017-12615 PUT JSP vulnerability.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:3080","name":"https://access.redhat.com/errata/RHSA-2017:3080","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615","name":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":["US Government Resource"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2018:0465","name":"https://access.redhat.com/errata/RHSA-2018:0465","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/42953/","name":"https://www.exploit-db.com/exploits/42953/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/100901","name":"http://www.securityfocus.com/bid/100901","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory","VDB Entry"],"title":"Apache Tomcat CVE-2017-12615 Remote Code Execution Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html","name":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit"],"title":"Break To Protect: The Case of CVE-2017-12615 Tomcat 7 PUT vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E","name":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E","name":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:3081","name":"https://access.redhat.com/errata/RHSA-2017:3081","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E","name":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Issue Tracking","Mailing List"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2018:0466","name":"https://access.redhat.com/errata/RHSA-2018:0466","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat","name":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Synology-SA-17:54 Tomcat | Synology Inc.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id/1039392","name":"http://www.securitytracker.com/id/1039392","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory","VDB Entry"],"title":"Apache Tomcat on Windows HTTP PUT Request Processing Flaw Lets Remote Users Execute Arbitrary Code on the Target System - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E","name":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E","name":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20171018-0001/","name":"https://security.netapp.com/advisory/ntap-20171018-0001/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"August 2017 Apache Tomcat Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2017:3113","name":"https://access.redhat.com/errata/RHSA-2017:3113","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E","name":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Patch"],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E","name":"MLIST:[announce] 20170919 [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload","refsource":"MITRE","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E","name":"MLIST:[announce] 20200131 Apache Software Foundation Security Report: 2019","refsource":"MITRE","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E","name":"MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/","refsource":"MITRE","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E","name":"MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/","refsource":"MITRE","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E","name":"MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/","refsource":"MITRE","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E","name":"MLIST:[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/","refsource":"MITRE","tags":[],"title":"Pony Mail!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-12615","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-12615","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Apache Software Foundation","product":"Apache Tomcat","version":"affected 7.0.0 to 7.0.79","platforms":[]}],"timeline":[{"source":"ADP","time":"2022-03-25T00:00:00.000Z","lang":"en","value":"CVE-2017-12615 added to CISA KEV"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"7.0.79","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"tomcat","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"0","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"microsoft","cpe5":"windows","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"7-mode_transition_tool","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"oncommand_balance","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"netapp","cpe5":"oncommand_shift","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_desktop","cpe6":"6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_desktop","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus","cpe6":"7.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus","cpe6":"7.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus","cpe6":"7.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus","cpe6":"7.7","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus_compute_node","cpe6":"7.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus_compute_node","cpe6":"7.5","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus_compute_node","cpe6":"7.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_eus_compute_node","cpe6":"7.7","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_ibm_z_systems","cpe6":"7.0_s390x","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_ibm_z_systems_eus","cpe6":"7.4_s390x","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_ibm_z_systems_eus","cpe6":"7.5_s390x","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_ibm_z_systems_eus","cpe6":"7.6_s390x","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_ibm_z_systems_eus","cpe6":"7.7_s390x","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_big_endian","cpe6":"7.0_ppc64","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_big_endian_eus","cpe6":"7.4_ppc64","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_big_endian_eus","cpe6":"7.5_ppc64","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_big_endian_eus","cpe6":"7.6_ppc64","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_big_endian_eus","cpe6":"7.7_ppc64","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_little_endian","cpe6":"7.0_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_little_endian_eus","cpe6":"7.4_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_little_endian_eus","cpe6":"7.5_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_little_endian_eus","cpe6":"7.6_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_power_little_endian_eus","cpe6":"7.7_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_for_scientific_computing","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server","cpe6":"6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_aus","cpe6":"7.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_aus","cpe6":"7.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_aus","cpe6":"7.7","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions","cpe6":"7.4_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions","cpe6":"7.6_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions","cpe6":"7.7_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions","cpe6":"9.2_ppc64le","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_tus","cpe6":"7.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_tus","cpe6":"7.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_server_tus","cpe6":"7.7","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"enterprise_linux_server_update_services_for_sap_solutions","cpe6":"7.4","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"enterprise_linux_server_update_services_for_sap_solutions","cpe6":"7.6","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"enterprise_linux_server_update_services_for_sap_solutions","cpe6":"7.7","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_workstation","cpe6":"6.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux_workstation","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_web_server","cpe6":"2.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_web_server","cpe6":"3.0.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"12615","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_web_server_text-only_advisories","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":{"cve_year":"2017","cve_id":"12615","cve":"CVE-2017-12615","vendorProject":"Apache","product":"Tomcat","vulnerabilityName":"Apache Tomcat on Windows Remote Code Execution Vulnerability","dateAdded":"2022-03-25","shortDescription":"When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.","requiredAction":"Apply updates per vendor instructions.","dueDate":"2022-04-15","knownRansomwareCampaignUse":"Known","notes":"https://nvd.nist.gov/vuln/detail/CVE-2017-12615","cwes":"CWE-434","catalogVersion":"2026.04.21","updated_at":"2026-04-21 13:32:18"},"epss":{"cve_year":"2017","cve_id":"12615","cve":"CVE-2017-12615","epss":"0.941980000","percentile":"0.999210000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:39"},"legacy_qids":[{"cve":"CVE-2017-12615","qid":"378318","title":"Virtuozzo Linux Security Update for tomcat6-lib (VZLSA-2017:3080)"},{"cve":"CVE-2017-12615","qid":"980957","title":"Java (maven) Security Update for org.apache.tomcat.embed:tomcat-embed-core (GHSA-pjfr-qf3p-3q25)"}]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-05T18:43:56.420Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"name":"RHSA-2017:3113","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2017:3113"},{"name":"RHSA-2017:3080","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2017:3080"},{"name":"1039392","tags":["vdb-entry","x_refsource_SECTRACK","x_transferred"],"url":"http://www.securitytracker.com/id/1039392"},{"name":"[announce] 20170919 [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat"},{"name":"RHSA-2018:0465","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2018:0465"},{"tags":["x_refsource_MISC","x_transferred"],"url":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"},{"name":"RHSA-2017:3114","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2017:3114"},{"name":"100901","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/100901"},{"name":"RHSA-2018:0466","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2018:0466"},{"name":"42953","tags":["exploit","x_refsource_EXPLOIT-DB","x_transferred"],"url":"https://www.exploit-db.com/exploits/42953/"},{"tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://security.netapp.com/advisory/ntap-20171018-0001/"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/breaktoprotect/CVE-2017-12615"},{"name":"RHSA-2017:3081","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"],"url":"https://access.redhat.com/errata/RHSA-2017:3081"},{"name":"[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"name":"[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"},{"name":"[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"},{"name":"[announce] 20200131 Apache Software Foundation Security Report: 2019","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"},{"name":"[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/","tags":["mailing-list","x_refsource_MLIST","x_transferred"],"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"}],"title":"CVE Program Container"},{"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},{"other":{"content":{"id":"CVE-2017-12615","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2025-02-06T20:59:29.584407Z","version":"2.0.3"},"type":"ssvc"}},{"other":{"content":{"dateAdded":"2022-03-25","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615"},"type":"kev"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-434","description":"CWE-434 Unrestricted Upload of File with Dangerous Type","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2025-10-21T23:55:34.335Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["government-resource"],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615"}],"timeline":[{"lang":"en","time":"2022-03-25T00:00:00.000Z","value":"CVE-2017-12615 added to CISA KEV"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"Apache Tomcat","vendor":"Apache Software Foundation","versions":[{"status":"affected","version":"7.0.0 to 7.0.79"}]}],"datePublic":"2017-09-19T00:00:00.000Z","descriptions":[{"lang":"en","value":"When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server."}],"problemTypes":[{"descriptions":[{"description":"Remote Code Execution","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2020-02-13T16:06:07.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"name":"RHSA-2017:3113","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2017:3113"},{"name":"RHSA-2017:3080","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2017:3080"},{"name":"1039392","tags":["vdb-entry","x_refsource_SECTRACK"],"url":"http://www.securitytracker.com/id/1039392"},{"name":"[announce] 20170919 [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E"},{"tags":["x_refsource_CONFIRM"],"url":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat"},{"name":"RHSA-2018:0465","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2018:0465"},{"tags":["x_refsource_MISC"],"url":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"},{"name":"RHSA-2017:3114","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2017:3114"},{"name":"100901","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/100901"},{"name":"RHSA-2018:0466","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2018:0466"},{"name":"42953","tags":["exploit","x_refsource_EXPLOIT-DB"],"url":"https://www.exploit-db.com/exploits/42953/"},{"tags":["x_refsource_CONFIRM"],"url":"https://security.netapp.com/advisory/ntap-20171018-0001/"},{"tags":["x_refsource_MISC"],"url":"https://github.com/breaktoprotect/CVE-2017-12615"},{"name":"RHSA-2017:3081","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2017:3081"},{"name":"[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"name":"[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"},{"name":"[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"},{"name":"[announce] 20200131 Apache Software Foundation Security Report: 2019","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E"},{"name":"[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/","tags":["mailing-list","x_refsource_MLIST"],"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","DATE_PUBLIC":"2017-09-19T00:00:00","ID":"CVE-2017-12615","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Tomcat","version":{"version_data":[{"version_value":"7.0.0 to 7.0.79"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Remote Code Execution"}]}]},"references":{"reference_data":[{"name":"RHSA-2017:3113","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:3113"},{"name":"RHSA-2017:3080","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:3080"},{"name":"1039392","refsource":"SECTRACK","url":"http://www.securitytracker.com/id/1039392"},{"name":"[announce] 20170919 [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload","refsource":"MLIST","url":"https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E"},{"name":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat","refsource":"CONFIRM","url":"https://www.synology.com/support/security/Synology_SA_17_54_Tomcat"},{"name":"RHSA-2018:0465","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:0465"},{"name":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html","refsource":"MISC","url":"http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html"},{"name":"RHSA-2017:3114","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:3114"},{"name":"100901","refsource":"BID","url":"http://www.securityfocus.com/bid/100901"},{"name":"RHSA-2018:0466","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2018:0466"},{"name":"42953","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/42953/"},{"name":"https://security.netapp.com/advisory/ntap-20171018-0001/","refsource":"CONFIRM","url":"https://security.netapp.com/advisory/ntap-20171018-0001/"},{"name":"https://github.com/breaktoprotect/CVE-2017-12615","refsource":"MISC","url":"https://github.com/breaktoprotect/CVE-2017-12615"},{"name":"RHSA-2017:3081","refsource":"REDHAT","url":"https://access.redhat.com/errata/RHSA-2017:3081"},{"name":"[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/","refsource":"MLIST","url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E"},{"name":"[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/","refsource":"MLIST","url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E"},{"name":"[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/","refsource":"MLIST","url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E"},{"name":"[announce] 20200131 Apache Software Foundation Security Report: 2019","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E"},{"name":"[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/","refsource":"MLIST","url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"}]}}}},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2017-12615","datePublished":"2017-09-19T13:00:00.000Z","dateReserved":"2017-08-07T00:00:00.000Z","dateUpdated":"2025-10-21T23:55:34.335Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"},"nvd":{"publishedDate":"2017-09-19 13:29:00","lastModifiedDate":"2026-04-21 17:04:04","problem_types":["CWE-434","Remote Code Execution","CWE-434 CWE-434 Unrestricted Upload of File with Dangerous Type"],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:P","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"MEDIUM","exploitabilityScore":8.6,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndIncluding":"7.0.79","matchCriteriaId":"0A3F5425-BA5F-411C-BA1D-FFC3D2EBF93D"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*","matchCriteriaId":"7EF6650C-558D-45C8-AE7D-136EE70CB6D7"},{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:oncommand_balance:-:*:*:*:*:*:*:*","matchCriteriaId":"7DCBCC5D-C396-47A8-ADF4-D3A2C4377FB1"},{"vulnerable":true,"criteria":"cpe:2.3:a:netapp:oncommand_shift:-:*:*:*:*:*:*:*","matchCriteriaId":"3BD81527-A341-42C3-9AB9-880D3DB04B08"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.4:*:*:*:*:*:*:*","matchCriteriaId":"E3A36AEE-5842-4876-9C2F-E703C981C992"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.6:*:*:*:*:*:*:*","matchCriteriaId":"CB70A2F8-EAB3-4898-9353-F679FF721C82"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:enterprise_linux_server_update_services_for_sap_solutions:7.7:*:*:*:*:*:*:*","matchCriteriaId":"EB3AC848-C2D0-4878-8619-F5815173555D"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*","matchCriteriaId":"681173DF-537E-4A64-8FC7-75F439CCAD0D"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*","matchCriteriaId":"8E2F2F98-DB90-43F6-8F28-3656207B6188"},{"vulnerable":true,"criteria":"cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:*:*:*:*:*:*:*","matchCriteriaId":"08E5BFFC-F3E0-43E6-BA40-81B2A8B7CC01"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*","matchCriteriaId":"EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*","matchCriteriaId":"33C068A4-3780-4EAB-A937-6082DF847564"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*","matchCriteriaId":"F96E3779-F56A-45FF-BB3D-4980527D721E"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*","matchCriteriaId":"0CF73560-2F5B-4723-A8A1-9AADBB3ADA00"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*","matchCriteriaId":"5BF3C7A5-9117-42C7-BEA1-4AA378A582EF"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*","matchCriteriaId":"83737173-E12E-4641-BC49-0BD84A6B29D0"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:*:*:*:*:*:*:*","matchCriteriaId":"46DD0CA2-3786-4E97-A60C-5043FDDBCB86"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:*:*:*:*:*:*:*","matchCriteriaId":"55E4609A-C986-4041-A528-1B4B37E1F6F6"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:*:*:*:*:*:*:*","matchCriteriaId":"92BDD126-A468-47D9-A468-6E229D75939D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:*:*:*:*:*:*:*","matchCriteriaId":"6DAA8C42-870A-42B4-AE9F-7C67F4122ED3"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*","matchCriteriaId":"2148300C-ECBD-4ED5-A164-79629859DD43"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:*:*:*:*:*:*:*","matchCriteriaId":"B908AEF5-67CE-42D4-961D-C0E7ADB78ADD"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:*:*:*:*:*:*:*","matchCriteriaId":"0F8EB695-5EA3-46D2-941E-D7F01AB99A48"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:*:*:*:*:*:*:*","matchCriteriaId":"1E1DB003-76B8-4D7B-A6ED-5064C3AE1C11"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:*:*:*:*:*:*:*","matchCriteriaId":"FFC68D88-3CD3-4A3D-A01B-E9DBACD9B9CB"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*","matchCriteriaId":"8BCF87FD-9358-42A5-9917-25DF0180A5A6"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:*:*:*:*:*:*:*","matchCriteriaId":"9B8B2E32-B838-4E51-BAA2-764089D2A684"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:*:*:*:*:*:*:*","matchCriteriaId":"4319B943-7B19-468D-A160-5895F7F997A3"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:*:*:*:*:*:*:*","matchCriteriaId":"39C1ABF5-4070-4AA7-BAB8-4F63E1BD91FF"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:*:*:*:*:*:*:*","matchCriteriaId":"8036E2AE-4E44-4FA5-AFFB-A3724BFDD654"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"7A584AAA-A14F-4C64-8FED-675DC36F69A3"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"E9A24D0C-604D-4421-AFA6-5D541DA2E94D"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"3A2E3637-B6A6-4DA9-8B0A-E91F22130A45"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"F81F859C-DA89-4D1E-91D3-A000AD646203"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"418488A5-2912-406C-9337-B8E85D0C2B57"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*","matchCriteriaId":"37CE1DC7-72C5-483C-8921-0B462C8284D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*","matchCriteriaId":"9BBCD86A-E6C7-4444-9D74-F861084090F0"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*","matchCriteriaId":"51EF4996-72F4-4FA4-814F-F5991E7A8318"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*","matchCriteriaId":"D99A687E-EAE6-417E-A88E-D0082BC194CD"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*","matchCriteriaId":"B353CE99-D57C-465B-AAB0-73EF581127D1"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*","matchCriteriaId":"7431ABC1-9252-419E-8CC1-311B41360078"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.4_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"A70DB420-5485-4820-9F1C-3F78A6219984"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.6_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"D9942F96-A8C1-4281-82C5-BB9D9C50A6CF"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:7.7_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"5325286E-F11D-4713-B666-5D7A4F65B326"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*","matchCriteriaId":"CC6A25CB-907A-4D05-8460-A2488938A8BE"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*","matchCriteriaId":"D5F7E11E-FB34-4467-8919-2B6BEAABF665"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*","matchCriteriaId":"B76AA310-FEC7-497F-AF04-C3EC1E76C4CC"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*","matchCriteriaId":"17F256A9-D3B9-4C72-B013-4EFD878BFEA8"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*","matchCriteriaId":"E5ED5807-55B7-47C5-97A6-03233F4FBC3A"},{"vulnerable":true,"criteria":"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*","matchCriteriaId":"825ECE2D-E232-46E0-A047-074B34DB1E97"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"12615","Ordinal":"1","Title":"CVE-2017-12615","CVE":"CVE-2017-12615","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"12615","Ordinal":"1","NoteData":"When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.","Type":"Description","Title":"CVE-2017-12615"},{"CveYear":"2017","CveId":"12615","Ordinal":"2","NoteData":"2017-09-19","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"12615","Ordinal":"3","NoteData":"2020-02-13","Type":"Other","Title":"Modified"}]}}}