CVE-2017-12617

KEV EPSS 94.36% · P100 Updated Feb 21, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2017-12617

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Description

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

Apache Tomcat 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Apache Tomcat是美国阿帕奇（Apache）软件基金会下属的Jakarta项目的一款轻量级Web应用服务器，它主要用于开发和调试JSP程序，适用于中小型系统。 Apache Tomcat中存在安全漏洞。攻击者可通过发送特制的请求利用该漏洞向服务器上传JSP文件，并执行文件中包含的代码。以下版本受到影响：Apache Tomcat 9.0.0.M1版本至9.0.0版本，8.5.0版本至8.5.22版本，8.0.0.RC1版本至8.0.46版本，7.0.0版本至7.0.81版本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Apache Software Foundation	Apache Tomcat	9.0.0.M1 to 9.0.0	-

II. Public POCs for CVE-2017-12617

#	POC Description	Source Link	Shenlong Link
1	Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution	https://github.com/cyberheartmi9/CVE-2017-12617	POC Details
2	Code put together from a few peoples ideas credit given don't use maliciously please	https://github.com/devcoinfet/CVE-2017-12617	POC Details
3	None	https://github.com/qiantu88/CVE-2017-12617	POC Details
4	Proof of Concept - RCE Exploitation : Web Shell on Apache Tomcat - Ensimag January 2018	https://github.com/ygouzerh/CVE-2017-12617	POC Details
5	Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution for Python3	https://github.com/tyranteye666/tomcat-cve-2017-12617	POC Details
6	An implementation of CVE-2017-12617	https://github.com/jptr218/tc_hack	POC Details
7	CVE-2017-12617 is a critical vulnerability leading to Remote Code Execution (RCE) in Apache Tomcat.	https://github.com/LongWayHomie/CVE-2017-12617	POC Details
8	None	https://github.com/K3ysTr0K3R/CVE-2017-12617-EXPLOIT	POC Details
9	None	https://github.com/scirusvulgaris/CVE-2017-12617	POC Details
10	CVE-2017-12617	https://github.com/yZ1337/CVE-2017-12617	POC Details
11	Improved version of PikaChu CVE	https://github.com/DevaDJ/CVE-2017-12617	POC Details
12	When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2017/CVE-2017-12617.yaml	POC Details
13	None	https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Apache%20Tomcat%20RCE%20via%20JSP%20Upload%20Bypass.md	POC Details
14	CVE-2017-12617	https://github.com/yZeetje/CVE-2017-12617	POC Details
15	CVE-2017-12617	https://github.com/yZee00/CVE-2017-12617	POC Details
16	None	https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Apache%20Tomcat%20RCE%20via%20JSP%20Upload%20Bypass%20CVE-2017-12617.md	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2017-12617

Please Login to view more intelligence information

https://support.f5.com/csp/article/K53173544x_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlx_refsource_CONFIRM
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlx_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20171018-0002/x_refsource_CONFIRM
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_usx_refsource_CONFIRM
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlx_refsource_MISC
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlx_refsource_CONFIRM
https://security.netapp.com/advisory/ntap-20180117-0002/x_refsource_CONFIRM
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_usx_refsource_CONFIRM
https://www.exploit-db.com/exploits/43008/exploitx_refsource_EXPLOIT-DB
https://www.exploit-db.com/exploits/42966/exploitx_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/100954vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1039552vdb-entryx_refsource_SECTRACK
https://usn.ubuntu.com/3665-1/vendor-advisoryx_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2018:0269vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:3080vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0271vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0465vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0466vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0270vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0268vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:3113vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:2939vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:3114vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:0275vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2017:3081vendor-advisoryx_refsource_REDHAT
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.htmlmailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2017-12617

IV. Related Vulnerabilities

Same product: Apache Tomcat

Same vendor: Apache Software Foundation

V. Comments for CVE-2017-12617

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2017-12617

I. Basic Information for CVE-2017-12617

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2017-12617

III. Intelligence Information for CVE-2017-12617

IV. Related Vulnerabilities

V. Comments for CVE-2017-12617

Leave a comment