Jump to content
Nytro

CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted 
[SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
From: Mark Thomas <markt@xxxxxxxxxx> 
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
CC: "announce@xxxxxxxxxxxxxxxxx" <announce@xxxxxxxxxxxxxxxxx>, announce@xxxxxxxxxx, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>
Date: Tue, 19 Sep 2017 11:58:44 +0100
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79

Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the Default to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)

Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by iswin from 360-sg-lab (360观星实验室)

History:
2017-09-19 Original advisory

References:
[1] http://tomcat.apache.org/security-7.html

Sursa: https://mailinglist-archive.mojah.be/varia-announce/2017-09/msg00010.php

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...