CVE-2017-12615

CVE-2017-12615 is a high-severity vulnerability in Apache Tomcat with a CVSS 3.x base score of 8.1. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-25). The underlying weakness is classified as CWE-434.

Key facts

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVE-2017-12615: Apache Tomcat JSP Upload via HTTP PUT (Windows)

AI-generated analysis based on the vulnerability data on this page.

| CVE ID | CVE-2017-12615 |
| CWE | CWE-434 — Unrestricted Upload of File with Dangerous Type |
| CVSS v2 | 6.8 (Medium) — AV:N/AC:M/Au:N/C:P/I:P/A:P |
| CVSS v3 | 8.1 (High) — AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS | 0.99607 (99.6th percentile) |
| KEV | Listed since 2022-03-25 |
| Published | 2017-09-19 |
| Modified | 2026-06-17 |

Summary

When Apache Tomcat 7.0.0 to 7.0.79 is deployed on Windows with HTTP PUT methods enabled (e.g., by setting the readonly initialization parameter of the Default servlet to false), an attacker can upload a JSP file to the server using a specially crafted PUT request. Once uploaded, the JSP file can be requested via HTTP GET, causing the server to execute the embedded code. This is an unrestricted file upload vulnerability with direct remote code execution impact.

Background

Apache Tomcat provides a Default servlet that can serve static content and, when configured with readonly=false, also supports HTTP PUT and DELETE methods for resource management. On Windows systems, the file path validation logic in affected versions fails to properly reject dangerous file extensions when certain character sequences are used. This bypass allows an attacker to upload a .jsp file even though the servlet is intended to block executable content. The vulnerability has been actively exploited in the wild and is tracked by CISA's Known Exploited Vulnerabilities catalog.

Root Cause

CWE-434 — Unrestricted Upload of File with Dangerous Type

The Tomcat Default servlet's file-path normalization logic on Windows does not correctly handle specific bypass sequences (e.g., null bytes or alternate encoding patterns) when validating the target filename during a PUT request. Consequently, the servlet writes the uploaded payload to disk with a .jsp extension, which the Jasper JSP engine then compiles and executes on subsequent requests. The root cause is insufficient input validation at the file-upload boundary, where the server trusts the client-provided filename without rigorous sanitization against executable extensions.

Impact

  • CVSS v2 (6.8, Medium): Network-accessible, medium attack complexity, no authentication required. Partial impact on confidentiality, integrity, and availability.
  • CVSS v3 (8.1, High): Network attack vector, high attack complexity, no privileges or user interaction required. The scope is unchanged, but the impact on confidentiality, integrity, and availability is all HIGH.

Successful exploitation grants an unauthenticated remote attacker arbitrary code execution on the Tomcat server with the privileges of the service account. This can lead to full system compromise, lateral movement, data exfiltration, and persistence.

Exploitation Walkthrough (Defensive Analysis)

Ethics caveat: This section describes the attack mechanics from a defender's perspective only. No weaponized exploit code is provided. Understanding these steps is essential for detection, validation, and hardening.

  1. Reconnaissance: The attacker identifies a Tomcat instance that responds to HTTP PUT requests. This can be confirmed by sending an OPTIONS or a benign PUT request and observing the response.
  2. Configuration Exposure: The target must have the Default servlet configured with readonly=false (or an equivalent custom configuration that enables PUT).
  3. Upload Bypass: The attacker crafts a PUT request with a filename that bypasses extension filters. On Windows, specific character sequences may cause the Windows file API to interpret the filename differently than Tomcat's Java-level validation.
  4. Code Execution: After successful upload, the attacker sends an HTTP GET request to the uploaded JSP path. Tomcat's Jasper engine compiles and executes the JSP, running the embedded Java code.

Affected and Patched Versions

Status Versions
Affected Apache Tomcat 7.0.0 – 7.0.79 on Windows
Patched Apache Tomcat 7.0.81 and later

Note: The vulnerable configuration requires HTTP PUT to be explicitly enabled (it is disabled by default). Windows is the affected platform due to filesystem-specific path-handling behavior. Linux and other Unix-like systems are not vulnerable to this specific bypass vector.

Remediation

  1. Upgrade: Update Apache Tomcat to version 7.0.81 or later. Later 7.x releases (e.g., 7.0.82+) contain the fix.
  2. Disable PUT (if not required): Ensure the Default servlet's readonly parameter is set to true (the default). If custom servlets handle PUT, audit them for similar extension-validation weaknesses.
  3. Restrict HTTP Methods: Use the Tomcat <security-constraint> or fronting reverse proxy (NGINX, Apache HTTPD) to block or restrict HTTP PUT and DELETE methods at the network edge.
  4. File Upload Validation: If your application accepts file uploads, enforce strict whitelist-based extension checks, content-type validation, and store uploads outside the web root.
  5. Compensating Controls:
    • Run Tomcat under a dedicated low-privilege service account.
    • Enable process monitoring and application control (e.g., AppLocker) to prevent execution of untrusted JSP binaries.
    • Deploy Web Application Firewalls (WAF) with rules for anomalous HTTP methods and JSP upload patterns.

Detection

  • Network signatures: Monitor HTTP PUT requests targeting .jsp, .jspx, or paths containing suspicious encoding (null bytes, %00, double extensions).
  • File integrity: Alert on new .jsp files appearing in unexpected directories (e.g., under webapps/ROOT/ or static-content paths).
  • Process telemetry: Monitor for unexpected java.exe or tomcat.exe child processes, especially those spawning shells or network connections.
  • Log correlation: Correlate PUT requests (HTTP 201/204) followed by GET requests to the same path with HTTP 200 and large response bodies, indicating JSP execution.

Assessment

With an EPSS score of 0.99607 and a KEV listing since March 2022, this vulnerability is almost certainly being exploited in the wild. The high CVSS v3 score (8.1) and the triviality of the attack once PUT is enabled make it a high-priority remediation target.

Key lessons:

  1. Never enable dangerous HTTP methods on production-facing servlets without rigorous extension and content validation. The convenience of PUT support is rarely worth the security trade-off.
  2. Platform-specific behavior matters. Windows filesystem quirks (e.g., null-byte truncation, case-insensitive matching) can bypass validation logic that is safe on Linux. Cross-platform testing is essential for upload controls.

References

Frequently asked questions

What is CVE-2017-12615?
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
How severe is CVE-2017-12615?
CVE-2017-12615 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2017-12615 being actively exploited?
Yes. CVE-2017-12615 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2017-12615?
CVE-2017-12615 primarily affects Apache Tomcat. In total, 50 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2017-12615?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2017-12615 have an EU (EUVD) identifier?
Yes. CVE-2017-12615 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2018-0654. It is also flagged as exploited in the EUVD (since 2022-03-25).
When was CVE-2017-12615 published?
CVE-2017-12615 was published on 2017-09-19 and last updated on 2026-06-17.

References

Affected products (50)

More vulnerabilities in Apache Tomcat

All CVEs affecting Apache Tomcat →

Other CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities

Browse all CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerabilities →