FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

payara -- Code execution via crafted PUT requests to JSPs

Affected packages
payara = 4.1.2.174

Details

VuXML ID 22bc5327-f33f-11e8-be46-0019dbb15b3f
Discovery 2017-08-07
Entry 2018-11-28

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

References

CVE Name CVE-2017-12615
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615