← back
CVE-2017-12615

CVE-2017-12615

CVSS 8.1 HIGHEPSS 99.6%● KEVCWE-434
In short

Apache Tomcat on Windows allows uploading JSP files when HTTP PUT requests are enabled, letting attackers execute arbitrary code on the server. This is critical because it gives attackers complete control over the web application.

Technical detail

CWE-434 (Unrestricted File Upload) vulnerability in Tomcat 7.0.0–7.0.79 on Windows systems with readonly=false. Attackers can craft HTTP PUT requests to upload JSP files to web-accessible directories, which are then executed with server privileges. No authentication required if PUT is enabled; impact is remote code execution.

Summary generated and translated by AI from the official description.
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Apache Software Foundation · Apache Tomcat
public PoCs found20
githubgithub.com/lizhianyuguangming/TomcatScanPro291githubgithub.com/tpt11fb/AttackTomcat254githubgithub.com/breaktoprotect/CVE-2017-12615111githubgithub.com/mefulton/cve-2017-1261511githubgithub.com/xiaokp7/Tomcat_PUT_GUI_EXP11githubgithub.com/zi0Black/POC-CVE-2017-12615-or-CVE-2017-127175githubgithub.com/1337g/CVE-2017-126153githubgithub.com/wsg00d/cve-2017-126152githubgithub.com/BeyondCy/CVE-2017-126151githubgithub.com/w0x68y/CVE-2017-12615-EXP1githubgithub.com/ianxtianxt/CVE-2017-126151githubgithub.com/Fa1c0n35/CVE-2017-126150githubgithub.com/Shellkeys/CVE-2017-126150githubgithub.com/cved-sources/cve-2017-126150githubgithub.com/cyberharsh/Tomcat-CVE-2017-126150githubgithub.com/wudidwo/CVE-2017-12615-poc0githubgithub.com/edyekomu/CVE-2017-12615-PoC0githubgithub.com/netw0rk7/CVE-2017-12615-Home-Lab0exploitdbwww.exploit-db.com/exploits/42953unverifiedcve_referencewww.exploit-db.com/exploits/42953/unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.htmlhttps://access.redhat.com/errata/RHSA-2017:3080https://access.redhat.com/errata/RHSA-2017:3081https://access.redhat.com/errata/RHSA-2017:3113https://access.redhat.com/errata/RHSA-2017:3114https://access.redhat.com/errata/RHSA-2018:0465https://access.redhat.com/errata/RHSA-2018:0466https://github.com/breaktoprotect/CVE-2017-12615https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E