CVE-2020-1938
Summary
| CVE | CVE-2020-1938 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-02-24 22:15:00 UTC |
| Updated | 2023-11-07 03:19:00 UTC |
| Description | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. |
Risk And Classification
EPSS: 0.944690000 probability, percentile 0.999970000 (date 2026-04-01)
CISA KEV: Listed on 2022-03-03; due 2022-03-17; ransomware use Unknown
Problem Types: NVD-CWE-Other
CISA Known Exploited Vulnerability
| Vendor | Apache |
|---|---|
| Product | Tomcat |
| Name | Apache Tomcat Improper Privilege Management Vulnerability |
| Required Action | Apply updates per vendor instructions. |
| Notes | https://nvd.nist.gov/vuln/detail/CVE-2020-1938 |
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Geode | 1.12.0 | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Apache | Tomcat | All | All | All | All |
| Application | Blackberry | Good Control | All | All | All | All |
| Application | Blackberry | Workspaces Server | 7.0.1 | All | All | All |
| Application | Blackberry | Workspaces Server | 7.1.2 | All | All | All |
| Application | Blackberry | Workspaces Server | 8.1.0 | All | All | All |
| Application | Blackberry | Workspaces Server | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 8.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 31 | All | All | All |
| Operating System | Fedoraproject | Fedora | 32 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Application | Oracle | Agile Engineering Data Management | 6.2.1.0 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.3 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.5 | All | All | All |
| Application | Oracle | Agile Plm | 9.3.6 | All | All | All |
| Application | Oracle | Communications Element Manager | 8.1.1 | All | All | All |
| Application | Oracle | Communications Element Manager | 8.2.0 | All | All | All |
| Application | Oracle | Communications Element Manager | 8.2.1 | All | All | All |
| Application | Oracle | Communications Instant Messaging Server | 10.0.1.4.0 | All | All | All |
| Application | Oracle | Health Sciences Empirica Inspections | 1.0.1.2 | All | All | All |
| Application | Oracle | Health Sciences Empirica Signal | 7.3.3 | All | All | All |
| Application | Oracle | Hospitality Guest Access | 4.2.0 | All | All | All |
| Application | Oracle | Hospitality Guest Access | 4.2.1 | All | All | All |
| Application | Oracle | Instantis Enterprisetrack | All | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | All | All | All | All |
| Application | Oracle | Mysql Enterprise Monitor | All | All | All | All |
| Application | Oracle | Siebel Ui Framework | All | All | All | All |
| Application | Oracle | Transportation Management | 6.3.7 | All | All | All |
| Application | Oracle | Workload Manager | 12.2.0.1 | All | All | All |
| Application | Oracle | Workload Manager | 18c | All | All | All |
| Application | Oracle | Workload Manager | 19c | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 30 Update: tomcat-9.0.31-2.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| BSRT-2020-001 Local File Inclusion Vulnerability in Apache Tomcat Impacts BlackBerry Workspaces Server and BlackBerry Good Control | CONFIRM | support.blackberry.com | |
| CVE-2020-1938 Apache Tomcat Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 31 Update: tomcat-9.0.31-2.fc31 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 32 Update: tomcat-9.0.31-2.fc32 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] [DLA 2133-1] tomcat7 security update | MLIST | lists.debian.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - October 2020 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [security-announce] openSUSE-SU-2020:0345-1: important: Security update | SUSE | lists.opensuse.org | |
| Debian -- Security Information -- DSA-4673-1 tomcat8 | DEBIAN | www.debian.org | |
| [SECURITY] Fedora 32 Update: tomcat-9.0.31-2.fc32 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Apache Tomcat: Multiple vulnerabilities (GLSA 202003-43) — Gentoo security | GENTOO | security.gentoo.org | |
| [SECURITY] [DLA 2209-1] tomcat8 security update | MLIST | lists.debian.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Debian -- Security Information -- DSA-4680-1 tomcat9 | DEBIAN | www.debian.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| [security-announce] openSUSE-SU-2020:0597-1: important: Security update | SUSE | lists.opensuse.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| [SECURITY] Fedora 31 Update: tomcat-9.0.31-2.fc31 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| [SECURITY] Fedora 30 Update: tomcat-9.0.31-2.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - January 2021 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
| CISA Known Exploited Vulnerabilities catalog | CISA | www.cisa.gov | kev |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 356190 Amazon Linux Security Advisory for tomcat : ALASTOMCAT8.5-2023-012
- 377084 Alibaba Cloud Linux Security Update for tomcat (ALINUX2-SA-2020:0032)
- 730112 Atlassian Jira Component Apache Tomcat Hypertext Transfer Protocol (HTTP) Request Smuggling Vulnerability (JRASERVER-70993)
- 730434 Update TITLE manually (JRASERVER-70487)
- 730441 Atlassian Jira Local Privilege Escalation Vulnerability (JRASERVER-70487)
- 730449 (JRASERVER-70487)
- 730510 Atlassian Jira Remote Code Execution (RCE) Vulnerability (JRASERVER-73223)
- 981939 Java (maven) Security Update for org.apache.tomcat.embed:tomcat-embed-core (GHSA-c9hw-wf7x-jp9j)