Apache Tomcat AJP Connector Insecure Configuration Vulnerability
CVE-2020-1938

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 24 February 2020

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 94%🦅 CISA Reported

What is CVE-2020-1938?

The Apache JServ Protocol (AJP) Connector in Apache Tomcat allowed for misconfigured connections that could be exploited by attackers. By default, the AJP Connector is enabled, listening on all configured IP addresses. This elevated trust can lead to unauthorized access and manipulation of files within the web application. Attackers could return arbitrary files or execute any file processed as a JSP, potentially enabling remote code execution if the application allows uploaded files. To mitigate this vulnerability, it is crucial to disable the AJP Connector if not used, and upgrade to versions 9.0.31, 8.5.51, or 7.0.100 or later, which contain enhanced default configurations.

CISA has reported CVE-2020-1938

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2020-1938 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply updates per vendor instructions.

Affected Version(s)

Apache Tomcat Apache Tomcat 9.0.0.M1 to 9.0.0.30

Apache Tomcat 8.5.0 to 8.5.50

Apache Tomcat 7.0.0 to 7.0.99

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Ghostcat-CNVD-2020-10487
Created by 00theway

CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner
Created by bkfish

AttackTomcat
Created by tpt11fb