CVE-2020-1938
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2020-1938
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Tomcat 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Tomcat是美国阿帕奇(Apache)基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page(JSP)的支持。 Apache Tomcat 7.0.100版本之前的7.*版本、8.5.51版本之前的8.*版本和9.0.31版本之前的9.*版本中的Tomcat AJP协议存在安全漏洞。攻击者可利用该漏洞读取或包含Tomcat上所有webapp目录下的任意文件,如 webapp 配置文件或源代码等。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache | Apache Tomcat | Apache Tomcat 9.0.0.M1 to 9.0.0.30 | - |
II. Public POCs for CVE-2020-1938
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | None | https://github.com/xindongzhuaizhuai/CVE-2020-1938 | POC Details |
| 2 | CVE-2020-1938 | https://github.com/sgdream/CVE-2020-1938 | POC Details |
| 3 | CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc | https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC | POC Details |
| 4 | Cnvd-2020-10487 / cve-2020-1938, scanner tool | https://github.com/bkfish/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner | POC Details |
| 5 | CVE-2020-1938漏洞复现 | https://github.com/laolisafe/CVE-2020-1938 | POC Details |
| 6 | None | https://github.com/h7hac9/CVE-2020-1938 | POC Details |
| 7 | Tomcat的文件包含及文件读取漏洞利用POC | https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read | POC Details |
| 8 | 在一定条件下可执行命令 | https://github.com/fairyming/CVE-2020-1938 | POC Details |
| 9 | None | https://github.com/dacade/CVE-2020-1938 | POC Details |
| 10 | 批量扫描TomcatAJP漏洞 | https://github.com/woaiqiukui/CVE-2020-1938TomcatAjpScanner | POC Details |
| 11 | None | https://github.com/fatal0/tomcat-cve-2020-1938-check | POC Details |
| 12 | CVE-2020-1938 | https://github.com/ze0r/GhostCat-LFI-exp | POC Details |
| 13 | CNVD-2020-10487 OR CVE-2020-1938 批量验证脚本,批量验证,并自动截图,方便提交及复核 | https://github.com/delsadan/CNVD-2020-10487-Bulk-verification | POC Details |
| 14 | Ghostcat read file/code execute,CNVD-2020-10487(CVE-2020-1938) | https://github.com/00theway/Ghostcat-CNVD-2020-10487 | POC Details |
| 15 | Learnings on how to verify if vulnerable to Ghostcat (aka CVE-2020-1938) | https://github.com/shaunmclernon/ghostcat-verification | POC Details |
| 16 | Test Explo for Ghostcat CVE-2020-1938 | https://github.com/Zaziki1337/Ghostcat-CVE-2020-1938 | POC Details |
| 17 | CVE-2020-1938(GhostCat) clean and readable code version | https://github.com/w4fz5uck5/CVE-2020-1938-Clean-Version | POC Details |
| 18 | 批量检测幽灵猫漏洞 | https://github.com/Just1ceP4rtn3r/CVE-2020-1938-Tool | POC Details |
| 19 | CVE-2020-1938 / CNVD-2020-1048 Detection Tools | https://github.com/doggycheng/CNVD-2020-10487 | POC Details |
| 20 | This is about CVE-2020-1938 | https://github.com/I-Runtime-Error/CVE-2020-1938 | POC Details |
| 21 | CVE-2020-1938 exploit | https://github.com/Umesh2807/Ghostcat | POC Details |
| 22 | Disables AJP connectors to remediate CVE-2020-1938! | https://github.com/MateoSec/ghostcatch | POC Details |
| 23 | Modified version of auxiliary/admin/http/tomcat_ghostcat, it can Read any file | https://github.com/acodervic/CVE-2020-1938-MSF-MODULE | POC Details |
| 24 | None | https://github.com/Hancheng-Lei/Hacking-Vulnerability-CVE-2020-1938-Ghostcat | POC Details |
| 25 | None | https://github.com/streghstreek/CVE-2020-1938 | POC Details |
| 26 | Scanner for CVE-2020-1938 | https://github.com/Neko-chanQwQ/CVE-2020-1938 | POC Details |
| 27 | An implementation of CVE-2020-1938 | https://github.com/jptr218/ghostcat | POC Details |
| 28 | -H 192.168.1.1-192.168.5.255 | https://github.com/einzbernnn/CVE-2020-1938Scan | POC Details |
| 29 | This is a modified version of the original GhostCat Exploit | https://github.com/YounesTasra-R4z3rSw0rd/CVE-2020-1938 | POC Details |
| 30 | cve-2020-1938 Tomcat-Ajp-lfi.git脚本 | https://github.com/Warelock/cve-2020-1938 | POC Details |
| 31 | CVE-2020-1938 | https://github.com/whatboxapp/GhostCat-LFI-exp | POC Details |
| 32 | This is exploit of CVE-2020-1938 Ghostcat-Apache Tomcat Vulnerability | https://github.com/technicalcorp2/CVE-2020-1938-Exploit | POC Details |
| 33 | cve-2020-1938 POC, updated version | https://github.com/s3nd3rjz/poc-CVE-2020-1938 | POC Details |
| 34 | None | https://github.com/WHtig3r/CVE-2020-1938 | POC Details |
| 35 | poc-CVE-2020-1938 | https://github.com/aib0litt/poc-CVE-2020-1938 | POC Details |
| 36 | None | https://github.com/hopsypopsy8/CVE-2020-1938-Exploitation | POC Details |
| 37 | Apache Tomcat vulnerable to Ghostcat (CVE-2020-1938). | https://github.com/erickrr-bd/Apache-Tomcat-Ghostcat-Vulnerability | POC Details |
| 38 | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. | https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2020/CVE-2020-1938.yaml | POC Details |
| 39 | None | https://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Apache%20Tomcat%20AJP%20%E6%96%87%E4%BB%B6%E5%8C%85%E5%90%AB%E6%BC%8F%E6%B4%9E%20CVE-2020-1938.md | POC Details |
| 40 | https://github.com/vulhub/vulhub/blob/master/tomcat/CVE-2020-1938/README.md | POC Details | |
| 41 | Ghostcat read file/code execute,CNVD-2020-10487(CVE-2020-1938) | https://github.com/Joshua8821/CNVD | POC Details |
| 42 | Apache Tomcat AJP Ghostcat (CVE-2020-1938) exploit tool for file disclosure with multi-target scanning, custom wordlists, and upload point detection capabilities | https://github.com/abrewer251/CVE-2020-1938_Ghostcat-PoC | POC Details |
| 43 | None | https://github.com/RedTeam-Rediron/CVE-2020-1938 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2020-1938
请登录查看更多情报信息。
- https://security.netapp.com/advisory/ntap-20200226-0002/x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpuoct2020.htmlx_refsource_MISC
- http://support.blackberry.com/kb/articleDetail?articleNumber=000062739x_refsource_CONFIRM
- https://www.oracle.com/security-alerts/cpujul2020.htmlx_refsource_MISC
- https://www.oracle.com/security-alerts/cpujan2021.htmlx_refsource_MISC
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.htmlvendor-advisoryx_refsource_SUSE
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.htmlvendor-advisoryx_refsource_SUSE
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/vendor-advisoryx_refsource_FEDORA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/vendor-advisoryx_refsource_FEDORA
- [Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat-Apache Mail Archivesmailing-listx_refsource_MLIST
- [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)-Apache Mail Archivesmailing-listx_refsource_MLIST
- https://nvd.nist.gov/vuln/detail/CVE-2020-1938
Same Patch Batch · Apache · 2020-02-24 · 4 CVEs total
| CVE-2020-1935 | Apache Tomcat 环境问题漏洞 | |
| CVE-2019-17569 | Apache Tomcat 环境问题漏洞 | |
| CVE-2020-1937 | Apache Kylin SQL注入漏洞 |
IV. Related Vulnerabilities
Same product: Apache Tomcat
- CVE-2026-34500
Apache Tomcat: OCSP checks sometimes soft-fail with FFM even - CVE-2026-34487
Apache Tomcat: Cloud membership for clustering component exp - CVE-2026-34486
Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of Encr - CVE-2026-34483
Apache Tomcat: Incomplete escaping of JSON access logs - CVE-2026-32990
Apache Tomcat: Fix for CVE-2025-66614 is incomplete
Same vendor: Apache
- CVE-2025-58712
Amq: privilege escalation via excessive /etc/passwd permissi - CVE-2024-42362
GHSL-2023-255: HertzBeat Authenticated (user role) RCE via u - CVE-2024-42361
GHSL-2023-256: HertzBeat Authenticated (guest role) SQL inje - CVE-2021-32824
Regular expression Denial of Service in MooTools - CVE-2021-25958
Generation of Error Message Containing Sensitive Information
V. Comments for CVE-2020-1938
No comments yet