NVD Vulnerability Detail

CVE-2017-12616

Summary	When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Publication Date	Sept. 19, 2017, 10:29 p.m.
Registration Date	Jan. 26, 2021, 1:14 p.m.
Last Update	Nov. 21, 2024, 12:09 p.m.

CVSS3.0 : HIGH
スコア	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
Score	5.0
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
cpe:2.3:a:apache:tomcat:7.0.49:::::::*
cpe:2.3:a:apache:tomcat:7.0.12:::::::*
cpe:2.3:a:apache:tomcat:7.0.62:::::::*
cpe:2.3:a:apache:tomcat:7.0.20:::::::*
cpe:2.3:a:apache:tomcat:7.0.34:::::::*
cpe:2.3:a:apache:tomcat:7.0.58:::::::*
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.55:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.51:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
cpe:2.3:a:apache:tomcat:7.0.63:::::::*
cpe:2.3:a:apache:tomcat:7.0.22:::::::*
cpe:2.3:a:apache:tomcat:7.0.39:::::::*
cpe:2.3:a:apache:tomcat:7.0.26:::::::*
cpe:2.3:a:apache:tomcat:7.0.46:::::::*
cpe:2.3:a:apache:tomcat:7.0.72:::::::*
cpe:2.3:a:apache:tomcat:7.0.76:::::::*
cpe:2.3:a:apache:tomcat:7.0.71:::::::*
cpe:2.3:a:apache:tomcat:7.0.28:::::::*
cpe:2.3:a:apache:tomcat:7.0.59:::::::*
cpe:2.3:a:apache:tomcat:7.0.65:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.50:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.18:::::::*
cpe:2.3:a:apache:tomcat:7.0.14:::::::*
cpe:2.3:a:apache:tomcat:7.0.48:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.67:::::::*
cpe:2.3:a:apache:tomcat:7.0.74:::::::*
cpe:2.3:a:apache:tomcat:7.0.23:::::::*
cpe:2.3:a:apache:tomcat:7.0.66:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.44:::::::*
cpe:2.3:a:apache:tomcat:7.0.69:::::::*
cpe:2.3:a:apache:tomcat:7.0.80:::::::*
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.42:::::::*
cpe:2.3:a:apache:tomcat:7.0.60:::::::*
cpe:2.3:a:apache:tomcat:7.0.37:::::::*
cpe:2.3:a:apache:tomcat:7.0.29:::::::*
cpe:2.3:a:apache:tomcat:7.0.45:::::::*
cpe:2.3:a:apache:tomcat:7.0.68:::::::*
cpe:2.3:a:apache:tomcat:7.0.13:::::::*
cpe:2.3:a:apache:tomcat:7.0.47:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:beta::::::
cpe:2.3:a:apache:tomcat:7.0.41:::::::*
cpe:2.3:a:apache:tomcat:7.0.31:::::::*
cpe:2.3:a:apache:tomcat:7.0.30:::::::*
cpe:2.3:a:apache:tomcat:7.0.15:::::::*
cpe:2.3:a:apache:tomcat:7.0.19:::::::*
cpe:2.3:a:apache:tomcat:7.0.75:::::::*
cpe:2.3:a:apache:tomcat:7.0.16:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.36:::::::*
cpe:2.3:a:apache:tomcat:7.0.25:::::::*
cpe:2.3:a:apache:tomcat:7.0.54:::::::*
cpe:2.3:a:apache:tomcat:7.0.35:::::::*
cpe:2.3:a:apache:tomcat:7.0.61:::::::*
cpe:2.3:a:apache:tomcat:7.0.79:::::::*
cpe:2.3:a:apache:tomcat:7.0.57:::::::*
cpe:2.3:a:apache:tomcat:7.0.43:::::::*
cpe:2.3:a:apache:tomcat:7.0.32:::::::*
cpe:2.3:a:apache:tomcat:7.0.38:::::::*
cpe:2.3:a:apache:tomcat:7.0.21:::::::*
cpe:2.3:a:apache:tomcat:7.0.27:::::::*
cpe:2.3:a:apache:tomcat:7.0.24:::::::*
cpe:2.3:a:apache:tomcat:7.0.17:::::::*
cpe:2.3:a:apache:tomcat:7.0.40:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*
cpe:2.3:a:apache:tomcat:7.0.77:::::::*
cpe:2.3:a:apache:tomcat:7.0.56:::::::*
cpe:2.3:a:apache:tomcat:7.0.64:::::::*
cpe:2.3:a:apache:tomcat:7.0.70:::::::*
cpe:2.3:a:apache:tomcat:7.0.33:::::::*
cpe:2.3:a:apache:tomcat:7.0.73:::::::*

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/100897	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/100897	Third Party Advisory VDB Entry
3	http://www.securitytracker.com/id/1039393	Third Party Advisory VDB Entry
4	http://www.securitytracker.com/id/1039393	Third Party Advisory VDB Entry
5	https://access.redhat.com/errata/RHSA-2018:0465
6	https://access.redhat.com/errata/RHSA-2018:0465
7	https://access.redhat.com/errata/RHSA-2018:0466
8	https://access.redhat.com/errata/RHSA-2018:0466
9	https://lists.apache.org/thread.html/1df9b4552464caa42047062fe7175da0da06c18ecc8daf99258bbda6%40%3Cannounce.tomcat.apache.org%3E
10	https://lists.apache.org/thread.html/1df9b4552464caa42047062fe7175da0da06c18ecc8daf99258bbda6%40%3Cannounce.tomcat.apache.org%3E
11	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
12	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
13	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
14	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
15	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
16	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
17	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
18	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
19	https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
20	https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html
21	https://security.netapp.com/advisory/ntap-20171018-0001/
22	https://security.netapp.com/advisory/ntap-20171018-0001/
23	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
24	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
25	https://usn.ubuntu.com/3665-1/
26	https://usn.ubuntu.com/3665-1/
27	https://www.synology.com/support/security/Synology_SA_17_54_Tomcat
28	https://www.synology.com/support/security/Synology_SA_17_54_Tomcat

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html

JVN Vulnerability Information

Apache Tomcat における情報漏えいに関する脆弱性

Title	Apache Tomcat における情報漏えいに関する脆弱性
Summary	Apache Tomcat には、情報漏えいに関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 19, 2017, midnight
Registration Date	Oct. 12, 2017, 4:47 p.m.
Last Update	Dec. 11, 2017, 5:15 p.m.

Affected System

Apache Software Foundation

Apache Tomcat 7.0.0 から 7.0.80

日本電気

MailShooter

SimpWright

SpoolServer/Winspoolシリーズ

WebOTX

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-12616	http://cve.mitre.org/cgi-bin/cvename.cgi name=CVE-2017-12616
National Vulnerability Database (NVD)
2	CVE-2017-12616	https://nvd.nist.gov/vuln/detail/CVE-2017-12616

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Apache Tomcat
1	Fixed in Apache Tomcat 7.0.81	http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
NEC製品セキュリティ情報
2	NV17-023	http://jpn.nec.com/security-info/secinfo/nv17-023.html
Pony Mail
3	[SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure	https://lists.apache.org/thread.html/1df9b4552464caa42047062fe7175da0da06c18ecc8daf99258bbda6@%3Cannounce.tomcat.apache.org%3E

その他

No	Name	URL
JPCERT 注意喚起
1	Apache Tomcat における脆弱性に関する注意喚起	https://www.jpcert.or.jp/at/2017/at170038.html
JVN
2	JVNVU#99259676	http://jvn.jp/vu/JVNVU99259676/index.html

Change Log

No	Changed Details	Date of change
0	[2017年10月12日] 掲載 [2017年10月30日] ベンダ情報：Apache Software Foundation (Fixed in Apache Tomcat 7.0.81) を追加参考情報：JVN (JVNVU#99259676) を追加参考情報：JPCERT 注意喚起 (Apache Tomcat における脆弱性に関する注意喚起) を追加 [2017年11月09日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日本電気 (NV17-023) を追加 [2017年12月11日] 影響を受けるシステム：ベンダ情報 (NV17-023) の更新に伴い内容を更新	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
cpe:2.3:a:apache:tomcat:7.0.49:::::::*
cpe:2.3:a:apache:tomcat:7.0.12:::::::*
cpe:2.3:a:apache:tomcat:7.0.62:::::::*
cpe:2.3:a:apache:tomcat:7.0.20:::::::*
cpe:2.3:a:apache:tomcat:7.0.34:::::::*
cpe:2.3:a:apache:tomcat:7.0.58:::::::*
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.55:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.51:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
cpe:2.3:a:apache:tomcat:7.0.63:::::::*
cpe:2.3:a:apache:tomcat:7.0.22:::::::*
cpe:2.3:a:apache:tomcat:7.0.39:::::::*
cpe:2.3:a:apache:tomcat:7.0.26:::::::*
cpe:2.3:a:apache:tomcat:7.0.46:::::::*
cpe:2.3:a:apache:tomcat:7.0.72:::::::*
cpe:2.3:a:apache:tomcat:7.0.76:::::::*
cpe:2.3:a:apache:tomcat:7.0.71:::::::*
cpe:2.3:a:apache:tomcat:7.0.28:::::::*
cpe:2.3:a:apache:tomcat:7.0.59:::::::*
cpe:2.3:a:apache:tomcat:7.0.65:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.50:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.18:::::::*
cpe:2.3:a:apache:tomcat:7.0.14:::::::*
cpe:2.3:a:apache:tomcat:7.0.48:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.67:::::::*
cpe:2.3:a:apache:tomcat:7.0.74:::::::*
cpe:2.3:a:apache:tomcat:7.0.23:::::::*
cpe:2.3:a:apache:tomcat:7.0.66:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.44:::::::*
cpe:2.3:a:apache:tomcat:7.0.69:::::::*
cpe:2.3:a:apache:tomcat:7.0.80:::::::*
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.42:::::::*
cpe:2.3:a:apache:tomcat:7.0.60:::::::*
cpe:2.3:a:apache:tomcat:7.0.37:::::::*
cpe:2.3:a:apache:tomcat:7.0.29:::::::*
cpe:2.3:a:apache:tomcat:7.0.45:::::::*
cpe:2.3:a:apache:tomcat:7.0.68:::::::*
cpe:2.3:a:apache:tomcat:7.0.13:::::::*
cpe:2.3:a:apache:tomcat:7.0.47:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:beta::::::
cpe:2.3:a:apache:tomcat:7.0.41:::::::*
cpe:2.3:a:apache:tomcat:7.0.31:::::::*
cpe:2.3:a:apache:tomcat:7.0.30:::::::*
cpe:2.3:a:apache:tomcat:7.0.15:::::::*
cpe:2.3:a:apache:tomcat:7.0.19:::::::*
cpe:2.3:a:apache:tomcat:7.0.75:::::::*
cpe:2.3:a:apache:tomcat:7.0.16:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.36:::::::*
cpe:2.3:a:apache:tomcat:7.0.25:::::::*
cpe:2.3:a:apache:tomcat:7.0.54:::::::*
cpe:2.3:a:apache:tomcat:7.0.35:::::::*
cpe:2.3:a:apache:tomcat:7.0.61:::::::*
cpe:2.3:a:apache:tomcat:7.0.79:::::::*
cpe:2.3:a:apache:tomcat:7.0.57:::::::*
cpe:2.3:a:apache:tomcat:7.0.43:::::::*
cpe:2.3:a:apache:tomcat:7.0.32:::::::*
cpe:2.3:a:apache:tomcat:7.0.38:::::::*
cpe:2.3:a:apache:tomcat:7.0.21:::::::*
cpe:2.3:a:apache:tomcat:7.0.27:::::::*
cpe:2.3:a:apache:tomcat:7.0.24:::::::*
cpe:2.3:a:apache:tomcat:7.0.17:::::::*
cpe:2.3:a:apache:tomcat:7.0.40:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*
cpe:2.3:a:apache:tomcat:7.0.77:::::::*
cpe:2.3:a:apache:tomcat:7.0.56:::::::*
cpe:2.3:a:apache:tomcat:7.0.64:::::::*
cpe:2.3:a:apache:tomcat:7.0.70:::::::*
cpe:2.3:a:apache:tomcat:7.0.33:::::::*
cpe:2.3:a:apache:tomcat:7.0.73:::::::*