CVE-2017-12617

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 07, 2017
Published Date: October 03, 2017
Last Updated: February 04, 2025
Vendor: Apache Software Foundation
Product: Apache Tomcat
Description: When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS Scores

CVSS v3.1

8.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2022-03-25 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2024-03-18 20:10:46 UTC) Source

References

https://access.redhat.com/errata/RHSA-2017:3113 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html https://access.redhat.com/errata/RHSA-2017:3080 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us https://access.redhat.com/errata/RHSA-2018:0269 https://www.exploit-db.com/exploits/42966/ https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us https://access.redhat.com/errata/RHSA-2018:0270 https://access.redhat.com/errata/RHSA-2018:0271 https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html https://access.redhat.com/errata/RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:0465 https://usn.ubuntu.com/3665-1/ http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html https://access.redhat.com/errata/RHSA-2018:0268 https://access.redhat.com/errata/RHSA-2017:3114 https://www.exploit-db.com/exploits/43008/ http://www.securitytracker.com/id/1039552 http://www.securityfocus.com/bid/100954 https://access.redhat.com/errata/RHSA-2018:0275 https://access.redhat.com/errata/RHSA-2018:0466 https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E https://security.netapp.com/advisory/ntap-20171018-0002/ https://security.netapp.com/advisory/ntap-20180117-0002/ https://access.redhat.com/errata/RHSA-2017:3081 https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E https://support.f5.com/csp/article/K53173544 https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

Known Exploited Vulnerability Information

Source	Added Date
CISA	2022-03-25 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_jsp_upload_bypass.rb	2025-04-29 11:01:24 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-12617.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

tomcat_jsp_upload_bypass

Type: metasploit • Created: Unknown

Metasploit module for CVE-2017-12617

DevaDJ/CVE-2017-12617

Type: github • Created: 2024-12-13 11:22:38 UTC • Stars: 0

Improved version of PikaChu CVE

yZeetje/CVE-2017-12617

Type: github • Created: 2024-07-04 07:23:39 UTC • Stars: 0

CVE-2017-12617

scirusvulgaris/CVE-2017-12617

Type: github • Created: 2024-06-28 08:33:41 UTC • Stars: 0

K3ysTr0K3R/CVE-2017-12617-EXPLOIT

Type: github • Created: 2024-03-18 20:10:46 UTC • Stars: 0

LongWayHomie/CVE-2017-12617

Type: github • Created: 2021-12-10 22:21:07 UTC • Stars: 3

CVE-2017-12617 is a critical vulnerability leading to Remote Code Execution (RCE) in Apache Tomcat.

ygouzerh/CVE-2017-12617

Type: github • Created: 2019-01-14 20:58:29 UTC • Stars: 2

Proof of Concept - RCE Exploitation : Web Shell on Apache Tomcat - Ensimag January 2018

qiantu88/CVE-2017-12617

Type: github • Created: 2018-12-19 10:26:33 UTC • Stars: 0

devcoinfet/CVE-2017-12617

Type: github • Created: 2018-02-09 01:02:32 UTC • Stars: 0

Code put together from a few peoples ideas credit given don't use maliciously please

cyberheartmi9/CVE-2017-12617

Type: github • Created: 2017-10-05 23:41:52 UTC • Stars: 390

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution