// For flags

CVE-2017-15706

 

Severity Score

5.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.

Como parte de la solución para el bug 61201, la documentación para Apache Tomcat en versiones 9.0.0.M22 a la 9.0.1; versiones 8.5.16 a 8.5.23; 8.0.45 a 8.0.47 y 7.0.79 to 7.0.82 incluía una descripción actualizada del algoritmo de búsqueda empleado por el Servlet CGI para identificar qué script ejecutar. La actualización no fue correcta. Como resultado, algunos scripts no se han ejecutado como se esperaba y otros se han ejecutado inesperadamente. Se debe tener en cuenta que el comportamiento del servlet CGI se ha mantenido sin cambios en este sentido. Lo único erróneo era la documentación del comportamiento, que ya ha sido corregida.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-10-21 CVE Reserved
  • 2018-01-31 CVE Published
  • 2024-07-27 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-358: Improperly Implemented Security Check for Standard
CAPEC
References (20)
URL Tag Source
http://www.securityfocus.com/bid/103069 Vdb Entry
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/e1ef853fc0079cdb55befbd2dac042934e49288b476d5f6a649e5da2%40%3Cannounce.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E Mailing List
https://www.oracle.com/security-alerts/cpuapr2020.html X_refsource_misc
URL Date SRC
URL Date SRC
URL Date SRC
https://usn.ubuntu.com/3665-1 2023-12-08
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 >= 7.0.79 <= 7.0.82
Search vendor "Apache" for product "Tomcat" and version " >= 7.0.79 <= 7.0.82"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 >= 8.0.45 <= 8.0.47
Search vendor "Apache" for product "Tomcat" and version " >= 8.0.45 <= 8.0.47"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 >= 8.5.16 <= 8.5.23
Search vendor "Apache" for product "Tomcat" and version " >= 8.5.16 <= 8.5.23"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone22
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone25
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone26
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone27
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone3
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone4
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone6
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone8
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.0
Search vendor "Apache" for product "Tomcat" and version "9.0.0"
milestone9
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 9.0.1
Search vendor "Apache" for product "Tomcat" and version "9.0.1"
-
Affected