Hello.
Did the issue below also affect the DAV application ?
And if yes, also only under Windows ?
-------- Forwarded Message --------
Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP
upload
Date: Tue, 19 Sep 2017 11:58:44 +0100
From: Mark Thomas <ma...@apache.org>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
To: Tomcat Users List <users@tomcat.apache.org>
CC: annou...@tomcat.apache.org <annou...@tomcat.apache.org>, annou...@apache.org, Tomcat
Developers List <d...@tomcat.apache.org>
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79
Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the Default to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by iswin from 360-sg-lab (360观星实验室)
History:
2017-09-19 Original advisory
References:
[1] http://tomcat.apache.org/security-7.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
