Vulnerability CVE-2017-12617


Published: 2017-10-03   Modified: 2017-10-04

Description:
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

See advisories in our WLB2 database:
Topic
Author
Date
High
Apache Tomcat Upload Bypass / Remote Code Execution
intx0x80
11.10.2017
High
Tomcat JSP Upload Bypass Remote Code Execution
peewpw
12.10.2017
Med.
Tomcat Remote Code Execution via JSP Upload Bypass
peewpw
19.10.2017

Type:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

Vendor: Apache
Product: Tomcat 
Version:
9.0.0
8.5.9
8.5.8
8.5.7
8.5.6
8.5.5
8.5.4
8.5.3
8.5.22
8.5.21
8.5.20
8.5.2
8.5.19
8.5.18
8.5.17
8.5.16
8.5.15
8.5.14
8.5.13
8.5.12
8.5.11
8.5.10
8.5.1
8.5.0
8.0.9
8.0.7
8.0.6
8.0.46
8.0.45
8.0.44
8.0.43
8.0.42
8.0.41
8.0.40
8.0.4
8.0.39
8.0.38
8.0.37
8.0.36
8.0.35
8.0.34
8.0.33
8.0.32
8.0.31
8.0.30
8.0.29
8.0.28
8.0.27
8.0.26
8.0.25
8.0.24
8.0.23
8.0.22
8.0.21
8.0.20
8.0.2
8.0.19
8.0.18
8.0.17
8.0.16
8.0.15
8.0.14
8.0.13
8.0.12
8.0.11
8.0.10
8.0.1
8.0.0
7.0.9
7.0.81
7.0.80
7.0.8
7.0.79
7.0.77
7.0.76
7.0.75
7.0.74
7.0.73
7.0.72
7.0.71
7.0.70
7.0.7
7.0.69
7.0.68
7.0.67
7.0.66
7.0.65
7.0.64
7.0.63
7.0.62
7.0.61
7.0.60
7.0.6
7.0.59
7.0.58
7.0.57
7.0.56
7.0.55
7.0.54
7.0.51
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.securityfocus.com/bid/100954
http://www.securitytracker.com/id/1039552
https://access.redhat.com/errata/RHSA-2017:3080
https://access.redhat.com/errata/RHSA-2017:3081
https://access.redhat.com/errata/RHSA-2017:3113
https://access.redhat.com/errata/RHSA-2017:3114
https://access.redhat.com/errata/RHSA-2018:0268
https://access.redhat.com/errata/RHSA-2018:0269
https://access.redhat.com/errata/RHSA-2018:0270
https://access.redhat.com/errata/RHSA-2018:0271
https://access.redhat.com/errata/RHSA-2018:0275
https://access.redhat.com/errata/RHSA-2018:0465
https://access.redhat.com/errata/RHSA-2018:0466
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html
https://security.netapp.com/advisory/ntap-20171018-0002/
https://security.netapp.com/advisory/ntap-20180117-0002/
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
https://www.exploit-db.com/exploits/42966/
https://www.exploit-db.com/exploits/43008/

Related CVE
CVE-2018-1339
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.
CVE-2018-1338
A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.
CVE-2018-1292
Within the 'getReportType' method in Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, a hacker could inject SQL to read/update data for which he doesn't have authorization for by way of the 'reportName' parameter.
CVE-2018-1291
Apache Fineract 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' which are appended directly with SQL statements. A hacker/user can inject...
CVE-2018-1290
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsAp...
CVE-2018-1289
In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, the system exposes different REST end points to query domain specific entities with a Query Parameter 'orderBy' and 'sortOrder' which are appended directly with ...
CVE-2018-1308
This vulnerability in Apache Solr 1.2 to 6.6.2 and 7.0.0 to 7.2.1 relates to an XML external entity expansion (XXE) in the `&dataConfig=<inlinexml>` parameter of Solr's DataImportHandler. It can be used as XXE using file/ftp/http protocols in order t...
CVE-2018-1315
In Apache Hive 2.1.0 to 2.3.2, when 'COPY FROM FTP' statement is run using HPL/SQL extension to Hive, a compromised/malicious FTP server can cause the file to be written to an arbitrary location on the cluster where the command is run from. This is b...

Copyright 2018, cxsecurity.com

 

Back to Top