CVE-2017-12615

8.1 HIGH CISA KEV - Actively Exploited
Published: September 19, 2017 Modified: October 22, 2025
View on NVD

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
Source: security@apache.org
Exploit
http://www.securityfocus.com/bid/100901
Source: security@apache.org
Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039392
Source: security@apache.org
Broken Link Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3080
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3081
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466
Source: security@apache.org
Third Party Advisory
https://github.com/breaktoprotect/CVE-2017-12615
Source: security@apache.org
Exploit Third Party Advisory
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E
Source: security@apache.org
Issue Tracking Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
Source: security@apache.org
Mailing List
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://security.netapp.com/advisory/ntap-20171018-0001/
Source: security@apache.org
Third Party Advisory
https://www.exploit-db.com/exploits/42953/
Source: security@apache.org
Third Party Advisory VDB Entry
https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
Source: security@apache.org
Third Party Advisory
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit
http://www.securityfocus.com/bid/100901
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039392
Source: af854a3a-2127-422b-91ae-364da2661108
Broken Link Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3080
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3081
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://github.com/breaktoprotect/CVE-2017-12615
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://security.netapp.com/advisory/ntap-20171018-0001/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.exploit-db.com/exploits/42953/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory VDB Entry
https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

39 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
94.3%
100th percentile
Exploitation Status
Actively Exploited
Remediation due: 2022-04-15

Weaknesses (CWE)

CWE-434 CWE-434

Affected Vendors

apache redhat microsoft netapp

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3