Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2017-12617

Unrestricted Upload of File with Dangerous Type Apache Tomcat

Description

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Base CVSS

8.1

EPSS Score

94.39%

Introduced Version

6.0.13

Fix Available

8.0.47,8.5.23,9.0.1,7.0.82

Fix without Upgrading

Available Patches

Package

CVEs Fixed

Lines of Code Changed

org.apache.tomcat:tomcat-catalina

References

https://github.com/apache/tomcat/commit/c177e9668d1278710bdb14c0eb8d2702b3655f5a

https://github.com/apache/tomcat/commit/24aea94807f940ee44aa550378dc903289039ddd

https://support.f5.com/csp/article/K53173544

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

https://github.com/apache/tomcat/commit/512a3c3aecdb52de092c6bacddd71b85c4feda06

https://github.com/apache/tomcat/commit/b7e0435d17aba69f16ae9e8a78ad0f1565b552af

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E

https://access.redhat.com/errata/RHSA-2018:0466

https://nvd.nist.gov/vuln/detail/CVE-2017-12617

https://web.archive.org/web/20201209024734/http://www.securitytracker.com/id/1039552

https://github.com/apache/tomcat/commit/bbcbb749c75056a2781f37038d63e646fe972104

https://github.com/apache/tomcat/commit/506d862e7edfa991de198e0f2e4c4540830fa531

http://www.securityfocus.com/bid/100954

https://github.com/apache/tomcat/commit/e650cf1b83e441dbd3863f3f6b61c972cafce19e

https://github.com/apache/tomcat/commit/cf0b37beb0622abdf24acc7110daf883f3fe4f95

https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us

https://access.redhat.com/errata/RHSA-2017:3114

https://usn.ubuntu.com/3665-1

https://access.redhat.com/errata/RHSA-2018:0269

https://github.com/apache/tomcat/commit/fd52f8601170b91f9d7162510e54563e5bf6bdfe

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E

https://github.com/apache/tomcat/commit/4cf7dab88282c8f3c92f0b961cdb0096e1d63e88

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E

https://access.redhat.com/errata/RHSA-2018:0271

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E

https://access.redhat.com/errata/RHSA-2017:3113

https://access.redhat.com/errata/RHSA-2017:3080

https://access.redhat.com/errata/RHSA-2018:0275

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

https://github.com/apache/tomcat/commit/327e8a6644e188764325a013aa2725a60f1b37e5

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

https://security.netapp.com/advisory/ntap-20171018-0002

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E

https://www.exploit-db.com/exploits/42966

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E

http://www.securitytracker.com/id/1039552

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html

https://github.com/apache/tomcat/commit/f1b85da754c4760787d68a99e839b50878140b57

https://access.redhat.com/errata/RHSA-2018:0268

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

https://github.com/apache/tomcat/commit/74ad0e216c791454a318c1811300469eedc5c6f3

https://access.redhat.com/errata/RHSA-2017:3081

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E

https://github.com/apache/tomcat/commit/d5b170705d24c386d76038e5989045c89795c28c

https://github.com/apache/tomcat/commit/46dfedbc0523d7182be97f4244d7b6c942164485

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

https://access.redhat.com/errata/RHSA-2018:0465

https://github.com/apache/tomcat/commit/b577f9a7996b92b650b1649af3c3bae11c120db9

https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://web.archive.org/web/20171110171954/http://www.securityfocus.com/bid/100954

https://github.com/apache/tomcat/commit/a9dd96046d7acb0357c6b7b9e6cc70d186fae663

https://security.netapp.com/advisory/ntap-20180117-0002

https://www.exploit-db.com/exploits/43008

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E

https://github.com/apache/tomcat/commit/31e99502e2c602449a2f8835bd23ade772b77333

https://access.redhat.com/errata/RHSA-2018:0270

https://github.com/apache/tomcat

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

https://access.redhat.com/errata/RHSA-2018:2939

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

AppSec for the Software Development Revolution

Endor Labs builds a complete graph of your software estate, so teams can pinpoint and fix critical risks in complex, dependency-rich code—whether it was written by humans or AI.

Welcome to the resistance

Oops! Something went wrong, please try again.