CVE-2017-12615

Name: CVE-2017-12615
Creator: NVD / NIST
Published: 2017-09-19T13:29:00.19+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 8.1/10Actively ExploitedEPSS 99.61%

Last modified Jun 17, 2026

CVE-2017-12615 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.61% chance of exploitation in the next 30 days.

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Metrics

CVSS 3.1

8.1/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

99.61%

99.9th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Apr 15, 2022.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Apache	Tomcat	>= 7.0.0, <= 7.0.79
Netapp	7-Mode Transition Tool	All versions
Netapp	Oncommand Balance	All versions
Netapp	Oncommand Shift	All versions
Redhat	Enterprise Linux Server Update Services For Sap Solutions	7.4
Redhat	Enterprise Linux Server Update Services For Sap Solutions	7.6
Redhat	Enterprise Linux Server Update Services For Sap Solutions	7.7
Redhat	Jboss Enterprise Web Server	2.0.0
Redhat	Jboss Enterprise Web Server	3.0.0
Redhat	Jboss Enterprise Web Server Text-Only Advisories	All versions
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Eus	7.4
Redhat	Enterprise Linux Eus	7.5
Redhat	Enterprise Linux Eus	7.6
Redhat	Enterprise Linux Eus	7.7
Redhat	Enterprise Linux Eus Compute Node	7.4
Redhat	Enterprise Linux Eus Compute Node	7.5
Redhat	Enterprise Linux Eus Compute Node	7.6
Redhat	Enterprise Linux Eus Compute Node	7.7
Redhat	Enterprise Linux For Ibm Z Systems	7.0_s390x
Redhat	Enterprise Linux For Ibm Z Systems Eus	7.4_s390x
Redhat	Enterprise Linux For Ibm Z Systems Eus	7.5_s390x
Redhat	Enterprise Linux For Ibm Z Systems Eus	7.6_s390x
Redhat	Enterprise Linux For Ibm Z Systems Eus	7.7_s390x
Redhat	Enterprise Linux For Power Big Endian	7.0_ppc64
Redhat	Enterprise Linux For Power Big Endian Eus	7.4_ppc64
Redhat	Enterprise Linux For Power Big Endian Eus	7.5_ppc64
Redhat	Enterprise Linux For Power Big Endian Eus	7.6_ppc64
Redhat	Enterprise Linux For Power Big Endian Eus	7.7_ppc64
Redhat	Enterprise Linux For Power Little Endian	7.0_ppc64le
Redhat	Enterprise Linux For Power Little Endian Eus	7.4_ppc64le
Redhat	Enterprise Linux For Power Little Endian Eus	7.5_ppc64le
Redhat	Enterprise Linux For Power Little Endian Eus	7.6_ppc64le
Redhat	Enterprise Linux For Power Little Endian Eus	7.7_ppc64le
Redhat	Enterprise Linux For Scientific Computing	7.0
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Aus	7.4
Redhat	Enterprise Linux Server Aus	7.6
Redhat	Enterprise Linux Server Aus	7.7
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	7.4_ppc64le
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	7.6_ppc64le
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	7.7_ppc64le
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	9.2_ppc64le
Redhat	Enterprise Linux Server Tus	7.4
Redhat	Enterprise Linux Server Tus	7.6
Redhat	Enterprise Linux Server Tus	7.7
Redhat	Enterprise Linux Workstation	6.0
Redhat	Enterprise Linux Workstation	7.0

References

http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.htmlExploit
http://www.securityfocus.com/bid/100901Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039392Broken Link, Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:3080Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3081Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466Third Party Advisory
https://github.com/breaktoprotect/CVE-2017-12615Exploit, Third Party Advisory
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3EIssue Tracking, Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3EMailing List
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://security.netapp.com/advisory/ntap-20171018-0001/Third Party Advisory
https://www.exploit-db.com/exploits/42953/Third Party Advisory, VDB Entry
https://www.synology.com/support/security/Synology_SA_17_54_TomcatThird Party Advisory
http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.htmlExploit
http://www.securityfocus.com/bid/100901Broken Link, Third Party Advisory, VDB Entry
http://www.securitytracker.com/id/1039392Broken Link, Third Party Advisory, VDB Entry
https://access.redhat.com/errata/RHSA-2017:3080Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3081Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3113Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:3114Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0465Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:0466Third Party Advisory
https://github.com/breaktoprotect/CVE-2017-12615Exploit, Third Party Advisory
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c%40%3Cannounce.tomcat.apache.org%3EIssue Tracking, Mailing List
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3EMailing List
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EMailing List, Patch
https://security.netapp.com/advisory/ntap-20171018-0001/Third Party Advisory
https://www.exploit-db.com/exploits/42953/Third Party Advisory, VDB Entry
https://www.synology.com/support/security/Synology_SA_17_54_TomcatThird Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12615US Government Resource

Timeline

Published: Sep 19, 2017
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2017-12615?

How severe is CVE-2017-12615?

CVE-2017-12615 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 99.61% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2017-12615?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-12615?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST