Main
Vulnerability Database
Exploits
ID:8864 - Exploit for Remote code execution in Apache Tomcat - CVE-2017-12615
ID:8864 - Exploit for Remote code execution in Apache Tomcat - CVE-2017-12615
Published: February 22, 2023
Vulnerability identifier: #VU8541
Vulnerability risk: High
CVE-ID: CVE-2017-12615
CWE-ID: CWE-20
Exploitation vector: Remote access
Vulnerable software:
Apache Tomcat
Apache Tomcat
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Apache Tomcat when running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) due to input validation flaw. A remote attacker can send a specially crafted HTTP PUT request to upload an arbitrary JSP file to the target system and request the file to execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in Apache Tomcat when running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) due to input validation flaw. A remote attacker can send a specially crafted HTTP PUT request to upload an arbitrary JSP file to the target system and request the file to execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to version 7.0.81.