The body of the original advisory referred to CVE-2017-7674. This was incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12615, as per the subject line. On 19/09/17 11:58, Mark Thomas wrote: > CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 7.0.0 to 7.0.79 > > Description: > When running on Windows with HTTP PUTs enabled (e.g. via setting the > readonly initialisation parameter of the Default to false) it was > possible to upload a JSP file to the server via a specially crafted > request. This JSP could then be requested and any code it contained > would be executed by the server. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) > > Credit: > This issue was reported responsibly to the Apache Tomcat Security Team > by iswin from 360-sg-lab (360观星实验室) > > History: > 2017-09-19 Original advisory > > References: > [1] http://tomcat.apache.org/security-7.html >