GHSA-8qq4-8jvq-mfw4 · Severity: high · Ecosystem: maven — Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Conclusion & alert: CVE-2017-12616 is rated Moderate Risk (59.8/100): CVSS High severity, with high exploitation likelihood (EPSS 70.80%, 99th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 90.64% | 70.80% | -19.84% |
| 2 | 2026-05-23 | 91.39% | 90.64% | -0.75% |
| 3 | 2026-04-12 | — | 91.39% | — |
Full EPSS history (45 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.0 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-8qq4-8jvq-mfw4 · Severity: high · Ecosystem: maven — Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2017-12616 |
suse
|
medium | CVE-2017-12616 severity moderate: SUSE including 26 source package names (tomcat, tomcat-7.0.82-7.16.1, …), 47 product×package rows across 8 product lines (SUSE Linux Enterprise Server 11 SP1 for Teradata, SUSE Linux Enterprise Server 11 SP3 LTSS, … (8 product lines)): Known Not Affected 38, Fixed 9. | https://www.suse.com/security/cve/CVE-2017-12616/ |
ubuntu
|
medium | CVE-2017-12616 medium priority: Ubuntu including 2 source packages (tomcat7, tomcat8), 39 status rows across 20 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, precise, trusty, upstream, xenial, zesty): DNE 26, ignored 5, not-affected 4, released 4. | https://ubuntu.com/security/CVE-2017-12616 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| apache | tomcat | 7.0.0 | cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.0 | cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:* |
| apache | tomcat | 7.0.1 | cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.2 | cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.2 | cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:* |
| apache | tomcat | 7.0.3 | cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.4 | cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.4 | cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:* |
| apache | tomcat | 7.0.5 | cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.5 | cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:* |
| apache | tomcat | 7.0.6 | cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.7 | cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.8 | cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.9 | cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.10 | cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.11 | cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.12 | cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.13 | cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.14 | cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.15 | cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.16 | cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.17 | cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.18 | cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.19 | cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.20 | cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.21 | cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.22 | cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.23 | cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.24 | cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.25 | cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.26 | cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.27 | cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.28 | cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.29 | cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.30 | cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.31 | cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.32 | cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.33 | cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.34 | cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.35 | cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.36 | cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.37 | cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.38 | cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.39 | cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.40 | cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.41 | cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.42 | cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.43 | cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.44 | cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.45 | cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.46 | cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.47 | cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.48 | cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.49 | cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.50 | cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.51 | cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.54 | cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.55 | cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.56 | cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.57 | cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.58 | cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.59 | cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.60 | cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.61 | cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.62 | cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.63 | cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.64 | cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.65 | cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.66 | cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.67 | cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.68 | cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.69 | cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.70 | cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.71 | cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.72 | cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.73 | cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.74 | cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.75 | cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.76 | cpe:2.3:a:apache:tomcat:7.0.76:*:*:*:*:*:*:* |
| apache | tomcat | 7.0.77 | cpe:2.3:a:apache:tomcat:7.0.77:*:*:*:*:*:*:* |