CVE-2017-7675 : The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

Published 2017-08-11 02:29:00

Updated 2023-12-08 16:41:19

Source Apache Software Foundation

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2017-7675

Apache » Tomcat » Version: 8.5.2
cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.3
cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.4
cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.0
cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.1
cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.5
cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.6
cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.8
cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.9
cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.7
cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.10
cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.13
cpe:2.3:a:apache:tomcat:8.5.13:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.14
cpe:2.3:a:apache:tomcat:8.5.14:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.15
cpe:2.3:a:apache:tomcat:8.5.15:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.11
cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 8.5.12
cpe:2.3:a:apache:tomcat:8.5.12:*:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone1
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone10
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone11
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone12
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone13
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone14
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone15
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone16
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone17
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone18
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone19
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone2
cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone20
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone21
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone3
cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone4
cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone5
cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone6
cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone7
cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone8
cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
Matching versions
Apache » Tomcat » Version: 9.0.0 Update Milestone9
cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2017-7675

Top countries where our scanners detected CVE-2017-7675

Top open port discovered on systems with this issue 80

IPs affected by CVE-2017-7675 27,246

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2017-7675!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2017-7675

EPSS FAQ

3.81%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2017-7675

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-7675

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-7675

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E

svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E

svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E

Pony Mail!

CVEs referencing this url
http://www.securityfocus.com/bid/100256

Apache Tomcat CVE-2017-7675 Directory Traversal Vulnerability
Third Party Advisory;VDB Entry
https://lists.apache.org/thread.html/5f8ab8a02f3610bd56ea2b0d69af25cbde451d79c46276c350e05a15%40%3Cdev.tomcat.apache.org%3E

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost-Apache Mail Archives
https://security.netapp.com/advisory/ntap-20180614-0003/

July 2017 Tomcat Vulnerabilities in NetApp Products | NetApp Product Security

CVEs referencing this url
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E

svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/5f8ab8a02f3610bd56ea2b0d69af25cbde451d79c46276c350e05a15@%3Cdev.tomcat.apache.org%3E

[Bug 61120] Tomcat 8.5.15 with HTTP/2: URL path parameters lost - Pony Mail
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E

svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E

svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E

svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E

svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/d3a5818e8af731bde6a05ef031ed3acc093c6dd7c4bfcc4936eafd6c@%3Cannounce.tomcat.apache.org%3E

Pony Mail!
Mailing List;Vendor Advisory
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
http://www.debian.org/security/2017/dsa-3974

Debian -- Security Information -- DSA-3974-1 tomcat8

CVEs referencing this url
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/d3a5818e8af731bde6a05ef031ed3acc093c6dd7c4bfcc4936eafd6c%40%3Cannounce.tomcat.apache.org%3E

[UPDATE][SECURITY] CVE-2017-7675 Apache Tomcat Security Constraint Bypass-Apache Mail Archives
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E

svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ - Pony Mail

CVEs referencing this url
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E

svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ - Pony Mail

CVEs referencing this url