Apache Tomcat JSP Upload Bypass Remote Code Execution (CVE-2017-12617)
Overview
Apache Tomcat JSP Upload Bypass Remote Code Execution, tracked as CVE-2017-12617, affects vulnerable Apache Tomcat deployments when HTTP PUT is enabled for the Default servlet. Tomcat is widely used to run Java web applications, servlets, and JavaServer Pages, so unsafe upload behavior can have direct server-side execution impact.
Vulnerability Overview
CVE-2017-12617 allows a remote attacker to upload a JSP file to a vulnerable Tomcat server when HTTP PUT requests are enabled, for example when the Default servlet readonly initialization parameter is set to false.
The uploaded JSP can then be requested through the web server. If Tomcat processes that file as server-side Java code, the upload issue becomes remote code execution in the context of the Tomcat application process.
Impact
CVE-2017-12617 has a CVSS 3.1 score of 8.1 and is rated High. The score reflects network reachability, no required privileges, no user interaction, and high confidentiality, integrity, and availability impact, with exploitation depending on a specific risky server configuration.
Successful exploitation can allow an attacker to execute code on the application server, modify deployed web content, access sensitive application data, install persistence, or use the Tomcat host as a foothold into the surrounding environment.
The vulnerability was added to the CISA Known Exploited Vulnerabilities Catalog on March 25, 2022, which reflects confirmed exploitation in the wild.
Vulnerability Scope
CVE-2017-12617 affects Apache Tomcat 9.0.0.M1 through 9.0.0, 8.5.0 through 8.5.22, 8.0.0.RC1 through 8.0.46, and 7.0.0 through 7.0.81 when HTTP PUT is enabled for the Default servlet.
The highest-risk exposure is an internet-facing Tomcat instance where the vulnerable upload path is reachable and JSP files can be written into a location that Tomcat later executes. Systems that keep the Default servlet read-only are not exposed to this specific upload path in the same way.
Lab Focus
This lab focuses on understanding how unsafe upload behavior in a Java web server can become remote code execution. The goal is to practice recognizing dangerous server configuration, evaluating upload-to-execution paths, and understanding why servlet defaults and deployment settings matter.