2017-10-04 03:29:02 2019-04-23 21:29:49

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

PARTIAL
Apache Tomcat 9.0.0 M8 (not an official CPE) Apache Tomcat 9.0.0 M7 (not an official CPE) Apache Tomcat 9.0.0 M6 (not an official CPE) Apache Tomcat 9.0.0 M5 (not an official CPE) Apache Tomcat 9.0.0 M4 (not an official CPE) Apache Tomcat 9.0.0 M3 (not an official CPE) Apache Tomcat 9.0.0 M22 (not an official CPE) Apache Tomcat 9.0.0 M21 (not an official CPE) Apache Tomcat 9.0.0 M20 (not an official CPE) Apache Tomcat 9.0.0 M2 (not an official CPE) Apache Tomcat 9.0.0 M19 (not an official CPE) Apache Tomcat 9.0.0 M18 (not an official CPE) Apache Tomcat 9.0.0 M17 (not an official CPE) Apache Tomcat 9.0.0 M16 (not an official CPE) Apache Tomcat 9.0.0 M15 (not an official CPE) Apache Tomcat 9.0.0 M14 (not an official CPE) Apache Tomcat 9.0.0 M13 (not an official CPE) Apache Tomcat 9.0.0 M12 (not an official CPE) Apache Tomcat 9.0.0 M11 (not an official CPE) Apache Tomcat 9.0.0 M10 (not an official CPE) Apache Tomcat 9.0.0 M1 (not an official CPE) Apache Tomcat 9.0.0 (not an official CPE) Apache Tomcat 8.5.22 (not an official CPE) Apache Tomcat 8.5.21 (not an official CPE) Apache Tomcat 8.5.20 (not an official CPE) Apache Tomcat 8.5.19 (not an official CPE) Apache Tomcat 8.5.18 (not an official CPE) Apache Tomcat 8.5.17 (not an official CPE) Apache Tomcat 8.5.16 (not an official CPE) Apache Tomcat 8.5.15 (not an official CPE) Apache Tomcat 8.5.14 (not an official CPE) Apache Tomcat 8.5.13 (not an official CPE) Apache Tomcat 8.5.12 (not an official CPE) Apache Tomcat 8.5.11 (not an official CPE) Apache Tomcat 8.5.10 (not an official CPE) Apache Tomcat 8.5.9 (not an official CPE) Apache Tomcat 8.5.8 (not an official CPE) Apache Tomcat 8.5.7 (not an official CPE) Apache Tomcat 8.5.6 (not an official CPE) Apache Tomcat 8.5.5 (not an official CPE) Apache Tomcat 8.5.4 (not an official CPE) Apache Tomcat 8.5.3 (not an official CPE) Apache Tomcat 8.5.2 (not an official CPE) Apache Tomcat 8.5.1 (not an official CPE) Apache Tomcat 8.5.0 (not an official CPE) Apache Tomcat 8.0.46 (not an official CPE) Apache Tomcat 8.0.45 (not an official CPE) Apache Tomcat 8.0.44 (not an official CPE) Apache Tomcat 8.0.43 (not an official CPE) Apache Tomcat 8.0.42 (not an official CPE) Apache Tomcat 8.0.41 (not an official CPE) Apache Tomcat 8.0.40 (not an official CPE) Apache Tomcat 8.0.39 (not an official CPE) Apache Tomcat 8.0.38 (not an official CPE) Apache Tomcat 8.0.37 (not an official CPE) Apache Tomcat 8.0.36 (not an official CPE) Apache Tomcat 8.0.35 (not an official CPE) Apache Tomcat 8.0.34 (not an official CPE) Apache Tomcat 8.0.33 (not an official CPE) Apache Tomcat 8.0.32 (not an official CPE) Apache Tomcat 8.0.31 (not an official CPE) Apache Tomcat 8.0.30 (not an official CPE) Apache Tomcat 8.0.29 (not an official CPE) Apache Tomcat 8.0.28 (not an official CPE) Apache Tomcat 8.0.27 (not an official CPE) Apache Tomcat 8.0.26 (not an official CPE) Apache Tomcat 8.0.25 (not an official CPE) Apache Tomcat 8.0.24 (not an official CPE) Apache Tomcat 8.0.23 (not an official CPE) Apache Tomcat 8.0.22 (not an official CPE) Apache Tomcat 8.0.21 (not an official CPE) Apache Tomcat 8.0.20 (not an official CPE) Apache Tomcat 8.0.19 (not an official CPE) Apache Tomcat 8.0.18 (not an official CPE) Apache Tomcat 8.0.17 (not an official CPE) Apache Tomcat 8.0.16 (not an official CPE) Apache Software Foundation Tomcat 8.0.15 Apache Software Foundation Tomcat 8.0.14 Apache Tomcat 8.0.13 (not an official CPE) Apache Software Foundation Tomcat 8.0.12 Apache Software Foundation Tomcat 8.0.11 Apache Tomcat 8.0.10 (not an official CPE) Apache Software Foundation Tomcat 8.0.9 Apache Tomcat 8.0.7 (not an official CPE) Apache Tomcat 8.0.6 (not an official CPE) Apache Tomcat 8.0.4 (not an official CPE) Apache Tomcat 8.0.2 (not an official CPE) Apache Software Foundation Tomcat 8.0.1 Apache Software Foundation Tomcat 8.0.0 release candidate 5 Apache Software Foundation Tomcat 8.0.0 Release Candidate 2 Apache Software Foundation Tomcat 8.0.0 release candidate 10 Apache Software Foundation Tomcat 8.0.0 Release Candidate 1 Apache Tomcat 7.0.81 (not an official CPE) Apache Tomcat 7.0.80 (not an official CPE) Apache Tomcat 7.0.79 (not an official CPE) Apache Tomcat 7.0.77 (not an official CPE) Apache Tomcat 7.0.76 (not an official CPE) Apache Tomcat 7.0.75 (not an official CPE) Apache Tomcat 7.0.74 (not an official CPE) Apache Tomcat 7.0.73 (not an official CPE) Apache Tomcat 7.0.72 (not an official CPE) Apache Tomcat 7.0.71 (not an official CPE) Apache Tomcat 7.0.70 (not an official CPE) Apache Tomcat 7.0.69 (not an official CPE) Apache Tomcat 7.0.68 (not an official CPE) Apache Tomcat 7.0.67 (not an official CPE) Apache Tomcat 7.0.66 (not an official CPE) Apache Tomcat 7.0.65 (not an official CPE) Apache Tomcat 7.0.64 (not an official CPE) Apache Tomcat 7.0.63 (not an official CPE) Apache Tomcat 7.0.62 (not an official CPE) Apache Tomcat 7.0.61 (not an official CPE) Apache Tomcat 7.0.60 (not an official CPE) Apache Tomcat 7.0.59 (not an official CPE) Apache Tomcat 7.0.58 (not an official CPE) Apache Software Foundation Tomcat 7.0.57 Apache Software Foundation Tomcat 7.0.56 Apache Software Foundation Tomcat 7.0.55 Apache Software Foundation Tomcat 7.0.54 Apache Tomcat 7.0.51 (not an official CPE) Apache Software Foundation Tomcat 7.0.50 Apache Software Foundation Tomcat 7.0.49 Apache Software Foundation Tomcat 7.0.48 Apache Software Foundation Tomcat 7.0.47 Apache Software Foundation Tomcat 7.0.46 Apache Software Foundation Tomcat 7.0.45 Apache Software Foundation Tomcat 7.0.44 Apache Software Foundation Tomcat 7.0.43 Apache Software Foundation Tomcat 7.0.42 Apache Software Foundation Tomcat 7.0.41 Apache Software Foundation Tomcat 7.0.40 Apache Software Foundation Tomcat 7.0.39 Apache Software Foundation Tomcat 7.0.38 Apache Software Foundation Tomcat 7.0.37 Apache Software Foundation Tomcat 7.0.36 Apache Software Foundation Tomcat 7.0.35 Apache Software Foundation Tomcat 7.0.34 Apache Software Foundation Tomcat 7.0.33 Apache Software Foundation Tomcat 7.0.30 Apache Software Foundation Tomcat 7.0.32 Apache Software Foundation Tomcat 7.0.31 Apache Software Foundation Tomcat 7.0.29 Apache Software Foundation Tomcat 7.0.28 Apache Software Foundation Tomcat 7.0.27 Apache Software Foundation Tomcat 7.0.26 Apache Software Foundation Tomcat 7.0.25 Apache Software Foundation Tomcat 7.0.24 Apache Software Foundation Tomcat 7.0.23 Apache Software Foundation Tomcat 7.0.22 Apache Software Foundation Tomcat 7.0.21 Apache Software Foundation Tomcat 7.0.20 Apache Software Foundation Tomcat 7.0.19 Apache Software Foundation Tomcat 7.0.17 Apache Software Foundation Tomcat 7.0.18 Apache Software Foundation Tomcat 7.0.16 Apache Software Foundation Tomcat 7.0.15 Apache Software Foundation Tomcat 7.0.14 Apache Software Foundation Tomcat 7.0.13 Apache Software Foundation Tomcat 7.0.12 Apache Software Foundation Tomcat 7.0.11 Apache Software Foundation Tomcat 7.0.10 Apache Software Foundation Tomcat 7.0.9 Apache Software Foundation Tomcat 7.0.8 Apache Software Foundation Tomcat 7.0.7 Apache Software Foundation Tomcat 7.0.6 Apache Tomcat 7.0.5 Beta (not an official CPE) Apache Software Foundation Tomcat 7.0.5 Apache Software Foundation Tomcat 7.0.3 Apache Software Foundation Tomcat 7.0.4 Apache Software Foundation Tomcat 7.0.4 beta Apache Software Foundation Tomcat 7.0.2 beta Apache Software Foundation Tomcat 7.0.2 Apache Software Foundation Tomcat 7.0.1 Apache Software Foundation Tomcat 7.0.0 Apache Tomcat 9.0.0 M9 (not an official CPE)
Advisory Patch Confirmed Link
https://security.netapp.com/advisory/ntap-20180117-0002/
https://support.f5.com/csp/article/K53173544
[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in ...
USN-3665-1
https://support.hpe.com/hpsc/doc/public/display?docLocal...
[debian-lts-announce] 20171107 [SECURITY] [DLA 1166-1] t...
https://security.netapp.com/advisory/ntap-20171018-0002/
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in ...
[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in ...
[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in ...
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /t...
[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in ...
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in ...
[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in ...
[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in ...
[announce] 20171003 [SECURITY] CVE-2017-12617 Apache Tom...
https://support.hpe.com/hpsc/doc/public/display?docLocal...
[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in ...
RHSA-2018:0271
RHSA-2018:0275
RHSA-2018:0465
RHSA-2018:0466
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in ...
RHSA-2018:2939
RHSA-2018:0269
RHSA-2018:0270
RHSA-2017:3114
RHSA-2018:0268
RHSA-2017:3081
RHSA-2017:3113
1039552
RHSA-2017:3080
100954
http://www.oracle.com/technetwork/security-advisory/cpuj...
http://www.oracle.com/technetwork/security-advisory/cpuj...
http://www.oracle.com/technetwork/security-advisory/cpua...
42966
43008
https://www.oracle.com/technetwork/security-advisory/cpu...