#VU8541 Remote code execution in Apache Tomcat - CVE-2017-12615
Published: September 21, 2017 / Updated: February 22, 2023
Vulnerability identifier: #VU8541
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
CVE-ID: CVE-2017-12615
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
Apache Tomcat
Apache Tomcat
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Apache Tomcat when running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) due to input validation flaw. A remote attacker can send a specially crafted HTTP PUT request to upload an arbitrary JSP file to the target system and request the file to execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in Apache Tomcat when running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) due to input validation flaw. A remote attacker can send a specially crafted HTTP PUT request to upload an arbitrary JSP file to the target system and request the file to execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Update to version 7.0.81.