| Severity |
|
| Remote |
|
| Type |
| + |
Arbitrary code execution |
|
| Description |
| + |
It has been discovered that tomcat version 7.0.80 and before are vulnerable to arbitrary code execution on Windows systems. When running Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. |
|
| References |
| + |
https://mail-archives.apache.org/mod_mbox/tomcat-announce/201709.mbox/%3C81e3acd3-f335-ff0d-ae89-bf44bb66fca0%40apache.org%3E |
| + |
http://svn.apache.org/viewvc?view=revision&revision=1804729 |
| + |
http://svn.apache.org/viewvc?view=revision&revision=1804604 |
|
| Notes |
| + |
Only affects Windows systems. |
|