Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-et9y-m4hb-43h7

Summary

Unrestricted Upload of File with Dangerous Type
When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Aliases

alias	CVE-2017-12615

alias	GHSA-pjfr-qf3p-3q25

Fixed_packages

url	pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.52
purl	pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.52
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.52

url pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.78

purl pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.78

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-u95s-xhwk-vka6

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.78

url	pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.81
purl	pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.81
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.81

url	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.79
purl	pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.79
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.79

Affected_packages

url pkg:maven/org.apache.tomcat/tomcat-catalina@7.0

purl pkg:maven/org.apache.tomcat/tomcat-catalina@7.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-et9y-m4hb-43h7

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0

url pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.51

purl pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.51

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8fn4-hnez-y3eb

vulnerability	VCID-et9y-m4hb-43h7

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.51

url pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.54

purl pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.54

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8fn4-hnez-y3eb

vulnerability	VCID-et9y-m4hb-43h7

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.54

url pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.77

purl pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.77

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8fn4-hnez-y3eb

vulnerability	VCID-et9y-m4hb-43h7

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.77

url pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.79

purl pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.79

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-8fn4-hnez-y3eb

vulnerability	VCID-et9y-m4hb-43h7

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat-catalina@7.0.79

url pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.0

purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-axzz-cadr-b7fv

vulnerability	VCID-dk58-p9py-rka9

vulnerability	VCID-et9y-m4hb-43h7

vulnerability	VCID-gmjm-6ck2-skgu

vulnerability	VCID-se44-f85s-xyex

vulnerability	VCID-xa95-zsnk-3kg9

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.0

References

reference_url	http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html
reference_id
reference_type
scores
url	http://breaktoprotect.blogspot.com/2017/09/the-case-of-cve-2017-12615-tomcat-7-put.html

reference_url	https://access.redhat.com/errata/RHSA-2017:3080
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2017:3080

reference_url	https://access.redhat.com/errata/RHSA-2017:3081
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2017:3081

reference_url	https://access.redhat.com/errata/RHSA-2017:3113
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2017:3113

reference_url	https://access.redhat.com/errata/RHSA-2017:3114
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2017:3114

reference_url	https://access.redhat.com/errata/RHSA-2018:0465
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2018:0465

reference_url	https://access.redhat.com/errata/RHSA-2018:0466
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2018:0466

reference_url	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/8fcb1e2d5895413abcf266f011b9918ae03e0b7daceb118ffbf23f8c@%3Cannounce.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

reference_url	https://security.netapp.com/advisory/ntap-20171018-0001/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20171018-0001/

reference_url	https://www.exploit-db.com/exploits/42953/
reference_id
reference_type
scores
url	https://www.exploit-db.com/exploits/42953/

reference_url	https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
reference_id
reference_type
scores
url	https://www.synology.com/support/security/Synology_SA_17_54_Tomcat

reference_url	http://www.securityfocus.com/bid/100901
reference_id
reference_type
scores
url	http://www.securityfocus.com/bid/100901

reference_url	http://www.securitytracker.com/id/1039392
reference_id
reference_type
scores
url	http://www.securitytracker.com/id/1039392

reference_url	https://github.com/breaktoprotect/CVE-2017-12615
reference_id	CVE-2017-12615
reference_type
scores
url	https://github.com/breaktoprotect/CVE-2017-12615

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2017-12615
reference_id	CVE-2017-12615
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2017-12615

reference_url	https://github.com/advisories/GHSA-pjfr-qf3p-3q25
reference_id	GHSA-pjfr-qf3p-3q25
reference_type
scores
url	https://github.com/advisories/GHSA-pjfr-qf3p-3q25

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	434
name	Unrestricted Upload of File with Dangerous Type
description	The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	78
name	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
description	The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-et9y-m4hb-43h7

Vulnerability Instance