CVE-2017-12617

Priority
Description
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22,
8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via
setting the readonly initialisation parameter of the Default servlet to
false) it was possible to upload a JSP file to the server via a specially
crafted request. This JSP could then be requested and any code it contained
would be executed by the server.
Assigned-to
mdeslaur
Notes
Package
Upstream:released (8.0.47,8.5.23)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (8.0.32-1ubuntu1.6)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.5.30-1ubuntu1)
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://svn.apache.org/r1809272 (8.5.x)
Upstream:https://svn.apache.org/r1809274 (8.5.x)
Upstream:https://svn.apache.org/r1809275 (8.5.x)
Upstream:https://svn.apache.org/r1809673 (8.5.x)
Upstream:https://svn.apache.org/r1809675 (8.5.x)
Upstream:https://svn.apache.org/r1809896 (8.5.x)
Upstream:https://svn.apache.org/r1809283 (8.0.x)
Upstream:https://svn.apache.org/r1809284 (8.0.x)
Upstream:https://svn.apache.org/r1809285 (8.0.x)
Upstream:https://svn.apache.org/r1809296 (8.0.x)
Upstream:https://svn.apache.org/r1809921 (8.0.x)
Package
Upstream:released (8.0.47)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:https://svn.apache.org/r1809921 (8.0.x)
More Information

Updated: 2019-10-18 02:30:53 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)