When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12617 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.16.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.16/tomcat-embed-core-8.5.16.jar
Dependency Hierarchy: - spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library) - spring-boot-starter-tomcat-1.5.6.RELEASE.jar - :x: **tomcat-embed-core-8.5.16.jar** (Vulnerable Library)
Found in HEAD commit: 5ba5ceefd37ed98562997e107cf68818a5f68845
Found in base branch: master
Vulnerability Details
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Publish Date: 2017-10-03
URL: CVE-2017-12617
CVSS 3 Score Details (8.1)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
Release Date: 2017-10-03
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.23
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.8.RELEASE