oss-sec mailing list archives
[SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
From: Mark Thomas <markt () apache org>
Date: Tue, 19 Sep 2017 14:06:38 +0100
CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.79 Description: When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) Credit: This issue was reported responsibly to the Apache Tomcat Security Team by iswin from 360-sg-lab (360观星实验室) History: 2017-09-19 Original advisory References: [1] http://tomcat.apache.org/security-7.html
Current thread:
- [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload Mark Thomas (Sep 19)