CVE-2017-12616

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.0
apachetomcat
7.0.0:beta
apachetomcat
7.0.1
apachetomcat
7.0.2
apachetomcat
7.0.2:beta
apachetomcat
7.0.3
apachetomcat
7.0.4
apachetomcat
7.0.4:beta
apachetomcat
7.0.5
apachetomcat
7.0.5:beta
apachetomcat
7.0.6
apachetomcat
7.0.7
apachetomcat
7.0.8
apachetomcat
7.0.9
apachetomcat
7.0.10
apachetomcat
7.0.11
apachetomcat
7.0.12
apachetomcat
7.0.13
apachetomcat
7.0.14
apachetomcat
7.0.15
apachetomcat
7.0.16
apachetomcat
7.0.17
apachetomcat
7.0.18
apachetomcat
7.0.19
apachetomcat
7.0.20
apachetomcat
7.0.21
apachetomcat
7.0.22
apachetomcat
7.0.23
apachetomcat
7.0.24
apachetomcat
7.0.25
apachetomcat
7.0.26
apachetomcat
7.0.27
apachetomcat
7.0.28
apachetomcat
7.0.29
apachetomcat
7.0.30
apachetomcat
7.0.31
apachetomcat
7.0.32
apachetomcat
7.0.33
apachetomcat
7.0.34
apachetomcat
7.0.35
apachetomcat
7.0.36
apachetomcat
7.0.37
apachetomcat
7.0.38
apachetomcat
7.0.39
apachetomcat
7.0.40
apachetomcat
7.0.41
apachetomcat
7.0.42
apachetomcat
7.0.43
apachetomcat
7.0.44
apachetomcat
7.0.45
apachetomcat
7.0.46
apachetomcat
7.0.47
apachetomcat
7.0.48
apachetomcat
7.0.49
apachetomcat
7.0.50
apachetomcat
7.0.51
apachetomcat
7.0.54
apachetomcat
7.0.55
apachetomcat
7.0.56
apachetomcat
7.0.57
apachetomcat
7.0.58
apachetomcat
7.0.59
apachetomcat
7.0.60
apachetomcat
7.0.61
apachetomcat
7.0.62
apachetomcat
7.0.63
apachetomcat
7.0.64
apachetomcat
7.0.65
apachetomcat
7.0.66
apachetomcat
7.0.67
apachetomcat
7.0.68
apachetomcat
7.0.69
apachetomcat
7.0.70
apachetomcat
7.0.71
apachetomcat
7.0.72
apachetomcat
7.0.73
apachetomcat
7.0.74
apachetomcat
7.0.75
apachetomcat
7.0.76
apachetomcat
7.0.77
apachetomcat
7.0.79
apachetomcat
7.0.80
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat7
artful
ignored
bionic
needed
cosmic
ignored
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
Fixed 7.0.52-1ubuntu0.14
released
xenial
needed
zesty
ignored
tomcat8
artful
not-affected
bionic
not-affected
cosmic
not-affected
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
precise
dne
trusty
dne
xenial
not-affected
zesty
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-admin-webapps
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-docs-webapp
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-el-2_2-api
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-javadoc
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-jsp-2_2-api
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-lib
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-servlet-3_0-api
suse enterprise server 12
7.0.82-7.16.1
fixed
tomcat-webapps
suse enterprise server 12
7.0.82-7.16.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
tomcat
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-admin-webapps
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-docs-webapp
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-el-2.2-api
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-javadoc
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-jsp-2.2-api
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-jsvc
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-lib
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-servlet-3.0-api
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat-webapps
Amazon Linux 2
0:7.0.76-10.amzn2.0.3
fixed
tomcat7
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-admin-webapps
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-docs-webapp
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-el-2.2-api
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-javadoc
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-jsp-2.2-api
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-lib
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-log4j
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-servlet-3.0-api
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
tomcat7-webapps
Amazon Linux 1
0:7.0.109-1.42.amzn1
fixed
References