Description
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22,
8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via
setting the readonly initialisation parameter of the Default servlet to
false) it was possible to upload a JSP file to the server via a specially
crafted request. This JSP could then be requested and any code it contained
would be executed by the server.
Package
Upstream: | released
(7.0.82)
|
Ubuntu 18.04 LTS: | needed
|
Ubuntu 20.04 LTS: | DNE
|
Ubuntu 21.10: | DNE
|
Ubuntu 22.04 LTS: | DNE
|
Ubuntu 14.04 ESM: | released
(7.0.52-1ubuntu0.14)
|
Patches:
Package
Upstream: | released
(8.0.47,8.5.23)
|
Ubuntu 18.04 LTS: | not-affected
(8.5.30-1ubuntu1)
|
Ubuntu 20.04 LTS: | DNE
|
Ubuntu 21.10: | DNE
|
Ubuntu 16.04 ESM: | released
(8.0.32-1ubuntu1.6)
|
Ubuntu 22.04 LTS: | DNE
|
Ubuntu 14.04 ESM: | DNE
|
Patches:
Package
Upstream: | released
(8.0.47)
|
Ubuntu 18.04 LTS: | DNE
|
Ubuntu 20.04 LTS: | DNE
|
Ubuntu 21.10: | DNE
|
Ubuntu 22.04 LTS: | DNE
|
Ubuntu 14.04 ESM: | DNE
|
Patches:
Updated: 2022-04-25 00:19:08 UTC (commit ecc1009cb19540b950de59270950018900f37f15)