CVE-2017-12615

high Apache ⚠️ CISA KEV — Exploited in the Wild
CVSS v3 Base Score
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
94.2%
Exploitation probability in 30 days
Top 0% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Confidentiality
High
Integrity
High
Availability
High
Published: September 19, 2017 (3159 days ago)
Last Modified: April 21, 2026
Vendor: Apache
Source: NVD

⚠️ CISA Known Exploited Vulnerability

Added to KEV: 2022-03-25
Remediation Due: 2022-04-15 (⚠ 1491d overdue)
Ransomware Campaign: Known

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CWE

CWE-434

Affected Products

apache tomcatnetapp 7-mode transition toolnetapp oncommand balancenetapp oncommand shiftredhat enterprise linux server update services for sap solutionsredhat jboss enterprise web serverredhat jboss enterprise web server text-only advisoriesredhat enterprise linux desktopredhat enterprise linux eusredhat enterprise linux eus compute node

References

🔗 breaktoprotect.blogspot.com 🔗 www.securityfocus.com 🔗 www.securitytracker.com 🔗 access.redhat.com 🔗 access.redhat.com