CVE-2017-12615

Published: 19 September 2017

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
tomcat7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(windows only)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(windows only)