CVE-2017-12617

Priority
Description
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22,
8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via
setting the readonly initialisation parameter of the Default servlet to
false) it was possible to upload a JSP file to the server via a specially
crafted request. This JSP could then be requested and any code it contained
would be executed by the server.
Assigned-to
mdeslaur
Notes
Package
Upstream:released (8.0.47,8.5.23)
Ubuntu 18.04 LTS:not-affected (8.5.30-1ubuntu1)
Ubuntu 20.04 LTS:DNE
Ubuntu 21.10:DNE
Ubuntu 16.04 ESM:released (8.0.32-1ubuntu1.6)
Ubuntu 22.04 LTS:DNE
Ubuntu 14.04 ESM:DNE
Patches:
Upstream:https://svn.apache.org/r1809272 (8.5.x)
Upstream:https://svn.apache.org/r1809274 (8.5.x)
Upstream:https://svn.apache.org/r1809275 (8.5.x)
Upstream:https://svn.apache.org/r1809673 (8.5.x)
Upstream:https://svn.apache.org/r1809675 (8.5.x)
Upstream:https://svn.apache.org/r1809896 (8.5.x)
Upstream:https://svn.apache.org/r1809283 (8.0.x)
Upstream:https://svn.apache.org/r1809284 (8.0.x)
Upstream:https://svn.apache.org/r1809285 (8.0.x)
Upstream:https://svn.apache.org/r1809296 (8.0.x)
Upstream:https://svn.apache.org/r1809921 (8.0.x)
Package
Upstream:released (8.0.47)
Ubuntu 18.04 LTS:DNE
Ubuntu 20.04 LTS:DNE
Ubuntu 21.10:DNE
Ubuntu 22.04 LTS:DNE
Ubuntu 14.04 ESM:DNE
Patches:
Upstream:https://svn.apache.org/r1809921 (8.0.x)
More Information

Updated: 2022-04-25 00:19:08 UTC (commit ecc1009cb19540b950de59270950018900f37f15)