Vulnerability in Apache Tomcat
CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are…
EPSS: 0.945 (100.0th percentile) — read the EPSS interpretation.
Affected products
- Apache Tomcat — versions Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50, 7.0.0 to 7.0.99
CISA KEV (Known Exploited Vulnerabilities)
This CVE is on the CISA KEV catalog, added on . CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.
BOD 22-01 due date: .
Required action: Apply updates per vendor instructions.
Public proof-of-concept exploits
- 00theway/Ghostcat-CNVD-2020-10487
- bkfish/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner
- lizhianyuguangming/TomcatScanPro
- tpt11fb/AttackTomcat
- sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
- xindongzhuaizhuai/CVE-2020-1938
- laolisafe/CVE-2020-1938
- Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat
- woaiqiukui/CVE-2020-1938TomcatAjpScanner
- fairyming/CVE-2020-1938
References
- [tomcat-announce] 20200224 [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20200225 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (mailing-list, x_refsource_MLIST)
- [ofbiz-commits] 20200227 [ofbiz-plugins] branch release17.12 updated: Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (OFBIZ-11407) (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20200227 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20200228 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (mailing-list, x_refsource_MLIST)
- [ofbiz-notifications] 20200228 [jira] [Comment Edited] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (mailing-list, x_refsource_MLIST)
- [tomcat-users] 20200301 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution (mailing-list, x_refsource_MLIST)
- [tomcat-users] 20200302 Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution (mailing-list, x_refsource_MLIST)
- [tomcat-users] 20200302 AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution (mailing-list, x_refsource_MLIST)
Frequently asked questions
- What is CVE-2020-1938?
- CVE-2020-1938 is a vulnerability in Apache Tomcat. Published 2020-02-24.
- Is CVE-2020-1938 known to be exploited?
- Yes. CVE-2020-1938 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-03), indicating it is being actively exploited. 286 public proof-of-concept repositories are indexed.