CVE-2017-12617: Unrestricted Upload of File with Dangerous Type

October 4, 2017 (updated April 23, 2019)

When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

References

www.securityfocus.com/bid/100954
www.securitytracker.com/id/1039552
nvd.nist.gov/vuln/detail/CVE-2017-12617
www.exploit-db.com/exploits/42966/
www.exploit-db.com/exploits/43008/

Code Behaviors & Features

Detect and mitigate CVE-2017-12617 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 7.0.0 up to 7.0.51, all versions starting from 7.0.54 up to 7.0.77, all versions starting from 7.0.79 up to 7.0.81, all versions starting from 8.0.0 up to 8.0.2, version 8.0.4, all versions starting from 8.0.6 up to 8.0.7, all versions starting from 8.0.9 up to 8.0.46, all versions starting from 8.5.0 up to 8.5.22, version 9.0.0