CVE-2020-9484

EPSS 93.46% · P100 Updated Feb 24, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2020-9484

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Description

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Title

Apache Tomcat 代码问题漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Apache Tomcat是美国阿帕奇（Apache）基金会的一款轻量级Web应用服务器。该程序实现了对Servlet和JavaServer Page（JSP）的支持。 Apache Tomcat中存在代码问题漏洞。攻击者可通过控制服务器上文件的内容和名称等方法利用该漏洞执行代码。以下产品及版本受到影响：Apache Tomcat 10.0.0-M1版本至10.0.0-M4版本，9.0.0.0.M1版本至9.0.43之前版本，8.5.0版本至8.5.63之前版本，7.0.0版本至7.0.108之前版本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
-	Apache Tomcat	Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to 7.0.103	-

II. Public POCs for CVE-2020-9484

#	POC Description	Source Link	Shenlong Link
1	tomcat使用了自带session同步功能时，不安全的配置（没有使用EncryptInterceptor）导致存在的反序列化漏洞，通过精心构造的数据包，可以对使用了tomcat自带session同步功能的服务器进行攻击。PS:这个不是CVE-2020-9484，9484是session持久化的洞，这个是session集群同步的洞！	https://github.com/threedr3am/tomcat-cluster-session-sync-exp	POC Details
2	None	https://github.com/masahiro331/CVE-2020-9484	POC Details
3	利用ceye批量检测CVE-2020-9484	https://github.com/seanachao/CVE-2020-9484	POC Details
4	用Kali 2.0复现Apache Tomcat Session反序列化代码执行漏洞	https://github.com/IdealDreamLast/CVE-2020-9484	POC Details
5	for Ubuntu 18.04, improve functions.	https://github.com/qerogram/CVE-2020-9484	POC Details
6	CVE-2020-9484 Mass Scanner, Scan a list of urls for Apache Tomcat deserialization (CVE-2020-9484) which could lead to RCE	https://github.com/osamahamad/CVE-2020-9484-Mass-Scan	POC Details
7	None	https://github.com/anjai94/CVE-2020-9484-exploit	POC Details
8	None	https://github.com/PenTestical/CVE-2020-9484	POC Details
9	A smol bash script I threw together pretty quickly to scan for vulnerable versions of the Apache Tomcat RCE. I'll give it some love when I have the time.	https://github.com/DanQMoo/CVE-2020-9484-Scanner	POC Details
10	None	https://github.com/AssassinUKG/CVE-2020-9484	POC Details
11	POC for CVE-2020-9484	https://github.com/VICXOR/CVE-2020-9484	POC Details
12	None	https://github.com/DXY0411/CVE-2020-9484	POC Details
13	Apache Tomcat RCE (CVE-2020-9484)	https://github.com/RepublicR0K/CVE-2020-9484	POC Details
14	POC - Apache Tomcat Deserialization Vulnerability (CVE-2020-9484)	https://github.com/ColdFusionX/CVE-2020-9484	POC Details
15	Exploit for Apache Tomcat deserialization (CVE-2020-9484) which could lead to RCE	https://github.com/d3fudd/CVE-2020-9484_Exploit	POC Details
16	small test to prevent sql injections attack. 🔒 CVE-2020-9484	https://github.com/pxcs/webLogin-DEV	POC Details
17	Remake of CVE-2020-9484 by Pentestical	https://github.com/0dayCTF/CVE-2020-9484	POC Details
18	Bash POC for CVE-2020-9484 that i used in tryhackme challenge	https://github.com/Disturbante/CVE-2020-9484	POC Details
19	Remake of CVE-2020-9484 by Pentestical	https://github.com/deathquote/CVE-2020-9484	POC Details
20	PoC exploit for CVE-2020-9484, and a vulnerable web application for its demonstration	https://github.com/savsch/PoC_CVE-2020-9484	POC Details
21	When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-9484.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2020-9484

请登录查看更多情报信息。

https://www.oracle.com/security-alerts/cpujul2022.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpujul2020.htmlx_refsource_MISC
https://www.oracle.com//security-alerts/cpujul2021.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpuoct2021.htmlx_refsource_MISC
https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3Ex_refsource_MISC
https://security.netapp.com/advisory/ntap-20200528-0005/x_refsource_CONFIRM
https://www.oracle.com/security-alerts/cpuoct2020.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpuApr2021.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2021.htmlx_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.htmlx_refsource_MISC
https://kc.mcafee.com/corporate/index?page=content&id=SB10332x_refsource_CONFIRM
https://www.debian.org/security/2020/dsa-4727vendor-advisoryx_refsource_DEBIAN
https://usn.ubuntu.com/4448-1/vendor-advisoryx_refsource_UBUNTU
https://usn.ubuntu.com/4596-1/vendor-advisoryx_refsource_UBUNTU
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.htmlvendor-advisoryx_refsource_SUSE
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/vendor-advisoryx_refsource_FEDORA
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/vendor-advisoryx_refsource_FEDORA
http://seclists.org/fulldisclosure/2020/Jun/6mailing-listx_refsource_FULLDISC
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.htmlmailing-listx_refsource_MLIST
[SECURITY] [DLA 2279-1] tomcat8 security updatemailing-listx_refsource_MLIST
https://lists.debian.org/debian-lts-announce/2020/05/msg00020.htmlmailing-listx_refsource_MLIST
http://www.openwall.com/lists/oss-security/2021/03/01/2mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3Emailing-listx_refsource_MLIST
Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence-Apache Mail Archivesmailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3Emailing-listx_refsource_MLIST
https://nvd.nist.gov/vuln/detail/CVE-2020-9484

Same Patch Batch · n/a · 2020-05-20 · 17 CVEs total

CVE-2020-13241		Microweber 代码问题漏洞
CVE-2020-13249		MariaDB Connector/C 安全漏洞
CVE-2020-13246		Gitea 安全漏洞
CVE-2020-13239		Dolibarr ERP/CRM DMS/ECM模块跨站脚本漏洞
CVE-2020-13240		Dolibarr ERP/CRM DMS/ECM模块跨站脚本漏洞
CVE-2020-13231		Cacti 跨站请求伪造漏洞
CVE-2020-1955		Apache CouchDB 安全漏洞
CVE-2020-13230		Cacti 安全漏洞
CVE-2020-5753		Signal Private Messenger 信息泄露漏洞
CVE-2020-3956		VMware Cloud Director 注入漏洞
CVE-2020-11716		多款Panasonic产品安全漏洞
CVE-2020-12835		SmartBear Software ReadyAPI 注入漏洞
CVE-2020-13152		KDE Amarok 资源管理错误漏洞
CVE-2020-13226		WSO2 API Manager 代码问题漏洞
CVE-2020-13225		phpIPAM 跨站脚本漏洞
CVE-2020-12034		Rockwell Automation EDS Subsystem SQL注入漏洞

IV. Related Vulnerabilities

Same product: Apache Tomcat

Same vendor: n/a

V. Comments for CVE-2020-9484

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2020-9484

I. Basic Information for CVE-2020-9484

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Shenlong Deep Dive — AI Deep Analysis

Affected Products

II. Public POCs for CVE-2020-9484

III. Intelligence Information for CVE-2020-9484

Same Patch Batch · n/a · 2020-05-20 · 17 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2020-9484

Leave a comment