CVE-2017-12617

8.1 HIGH CISA KEV - Actively Exploited
Published: October 04, 2017 Modified: October 22, 2025
View on NVD

Description

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Source: security@apache.org
Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Source: security@apache.org
Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Source: security@apache.org
Patch Third Party Advisory
http://www.securityfocus.com/bid/100954
Source: security@apache.org
Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039552
Source: security@apache.org
Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3080
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3081
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0268
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0269
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0270
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0271
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0275
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466
Source: security@apache.org
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939
Source: security@apache.org
Third Party Advisory
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E
Source: security@apache.org
Issue Tracking Mailing List
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
Source: security@apache.org
Mailing List Patch
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html
Source: security@apache.org
Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20171018-0002/
Source: security@apache.org
Third Party Advisory
https://security.netapp.com/advisory/ntap-20180117-0002/
Source: security@apache.org
Third Party Advisory
https://support.f5.com/csp/article/K53173544
Source: security@apache.org
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us
Source: security@apache.org
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
Source: security@apache.org
Third Party Advisory
https://usn.ubuntu.com/3665-1/
Source: security@apache.org
Third Party Advisory
https://www.exploit-db.com/exploits/42966/
Source: security@apache.org
Exploit Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/43008/
Source: security@apache.org
Exploit Third Party Advisory VDB Entry
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Source: security@apache.org
Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory
http://www.securityfocus.com/bid/100954
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039552
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2017:3080
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3081
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0268
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0269
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0270
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0271
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0275
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2939
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Issue Tracking Mailing List
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Patch
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20171018-0002/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://security.netapp.com/advisory/ntap-20180117-0002/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://support.f5.com/csp/article/K53173544
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://usn.ubuntu.com/3665-1/
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
https://www.exploit-db.com/exploits/42966/
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory VDB Entry
https://www.exploit-db.com/exploits/43008/
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory VDB Entry
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Source: af854a3a-2127-422b-91ae-364da2661108
Patch Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12617
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

89 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
94.4%
100th percentile
Exploitation Status
Actively Exploited
Remediation due: 2022-04-15

Weaknesses (CWE)

CWE-434 CWE-434

Affected Vendors

redhat canonical debian netapp oracle apache

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3