tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Baron Fujimoto <>
Subject Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload
Date Wed, 04 Oct 2017 01:28:28 GMT
On Tue, Oct 03, 2017 at 10:55:26AM +0000, Mark Thomas wrote:
>CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>Severity: Important
>Vendor: The Apache Software Foundation
>Versions Affected:
>Apache Tomcat 8.0.0.RC1 to 8.0.46
>When running with HTTP PUTs enabled (e.g. via setting the readonly
>initialisation parameter of the Default servlet to false) it was
>possible to upload a JSP file to the server via a specially crafted
>request. This JSP could then be requested and any code it contained
>would be executed by the server.
>Users of the affected versions should apply one of the following
>- Upgrade to Apache Tomcat 8.0.47 or later

I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat
website seem to reference it yet, but it appears to be available in the
distribution archive(s). E.g.:


Is this 8.0.47 blessed for use?

Baron Fujimoto <> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message