CVE-2017-15706

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 92%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.79 ≤
𝑥
≤ 7.0.82
apachetomcat
8.0.45 ≤
𝑥
≤ 8.0.47
apachetomcat
8.5.16 ≤
𝑥
≤ 8.5.23
apachetomcat
9.0.0:milestone22
apachetomcat
9.0.0:milestone25
apachetomcat
9.0.0:milestone26
apachetomcat
9.0.0:milestone27
apachetomcat
9.0.0:milestone3
apachetomcat
9.0.0:milestone4
apachetomcat
9.0.0:milestone6
apachetomcat
9.0.0:milestone8
apachetomcat
9.0.0:milestone9
apachetomcat
9.0.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.43-2~deb11u10
fixed
jessie
not-affected
sid
9.0.95-1
fixed
stretch
not-affected
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat7
artful
not-affected
bionic
not-affected
trusty
not-affected
xenial
not-affected
tomcat8
artful
Fixed 8.5.21-1ubuntu1.1
released
bionic
not-affected
trusty
dne
xenial
not-affected
tomcat8.0
artful
ignored
bionic
dne
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-admin-webapps
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-docs-webapp
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-el-2_2-api
suse enterprise server 12
7.0.90-7.23.1
fixed
tomcat-el-3_0-api
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-javadoc
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-jsp-2_2-api
suse enterprise server 12
7.0.90-7.23.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-lib
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-servlet-3_0-api
suse enterprise server 12
7.0.90-7.23.1
fixed
tomcat-servlet-3_1-api
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
tomcat-servlet-4_0-api
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
tomcat-webapps
suse enterprise sap 12 SP1
8.0.53-10.35.1
fixed
suse enterprise sap 12 SP2
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP3
8.0.50-29.8.2
fixed
suse enterprise sap 12 SP5
9.0.21-3.13.2
fixed
suse enterprise server 12
7.0.90-7.23.1
fixed
suse enterprise server 12 SP1
8.0.53-10.35.1
fixed
suse enterprise server 12 SP2
8.0.50-29.8.2
fixed
suse enterprise server 12 SP3
8.0.50-29.8.2
fixed
suse enterprise server 12 SP5
9.0.21-3.13.2
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
tomcat7
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-admin-webapps
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-docs-webapp
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-el-2.2-api
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-javadoc
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-jsp-2.2-api
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-lib
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-log4j
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-servlet-3.0-api
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat7-webapps
Amazon Linux 1
0:7.0.84-1.31.amzn1
fixed
tomcat8
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-admin-webapps
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-docs-webapp
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-el-3.0-api
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-javadoc
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-jsp-2.3-api
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-lib
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-log4j
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-servlet-3.1-api
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat8-webapps
Amazon Linux 1
0:8.5.28-1.76.amzn1
fixed
tomcat80
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-admin-webapps
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-docs-webapp
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-el-3.0-api
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-javadoc
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-jsp-2.3-api
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-lib
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-log4j
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-servlet-3.1-api
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
tomcat80-webapps
Amazon Linux 1
0:8.0.50-1.79.amzn1
fixed
References