7.5
CVSSv2

CVE-2020-1938

Published: 24/02/2020 Updated: 27/02/2020
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Apache Tomcat could allow a remote malicious user to execute arbitrary code on the system, caused by a flaw in the AJP connector. By sending a specially-crafted AJP request, an attacker could exploit this vulnerability to execute arbitrary code or obtain sensitive information on the system.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18, 7.0.19, 7.0.20, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.0.25, 7.0.26, 7.0.27, 7.0.28, 7.0.29, 7.0.30, 7.0.31, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.51, 7.0.52, 7.0.53, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 7.0.78, 7.0.79, 7.0.80, 7.0.81, 7.0.82, 7.0.83, 7.0.84, 7.0.85, 7.0.86, 7.0.87, 7.0.88, 7.0.89, 7.0.90, 7.0.91, 7.0.92, 7.0.93, 7.0.94, 7.0.95, 7.0.96, 7.0.97, 7.0.98, 7.0.99, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 8.5.19, 8.5.20, 8.5.21, 8.5.22, 8.5.23, 8.5.24, 8.5.25, 8.5.26, 8.5.27, 8.5.28, 8.5.29, 8.5.30, 8.5.31, 8.5.32, 8.5.33, 8.5.34, 8.5.35, 8.5.36, 8.5.37, 8.5.38, 8.5.39, 8.5.40, 8.5.41, 8.5.42, 8.5.43, 8.5.44, 8.5.45, 8.5.46, 8.5.47, 8.5.48, 8.5.49, 8.5.50, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.18, 9.0.19, 9.0.20, 9.0.21, 9.0.22, 9.0.23, 9.0.24, 9.0.25, 9.0.26, 9.0.27, 9.0.28, 9.0.29, 9.0.30

Vendor Advisories

Synopsis Important: tomcat6 security update Type/Severity Security Advisory: Important Topic An update for tomcat6 is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Debian Bug report logs - #952436 tomcat7: CVE-2020-1938 AJP Request Injection and potential RCE Package: tomcat7; Maintainer for tomcat7 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat7 is src:tomcat7 (PTS, buildd, popcon) Reported by: Joost van Baal-Ilić <joostvb+debian-bugs@ ...
Debian Bug report logs - #952437 tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487 Package: tomcat9; Maintainer for tomcat9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for tomcat9 is src:tomcat9 (PTS, buildd, popcon) Reported by: Joost van Baal-Ilić <joostvb+debian- ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Synopsis Important: Red Hat JBoss Web Server 31 Service Pack 8 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and RHEL 7Red Hat Product Security has rated this release as having a security impact of Important A Commo ...
Synopsis Important: Red Hat JBoss Web Server 31 Service Pack 8 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this release as having a security impact of Important A Common Vulnerability Scorin ...
In Apache Tomcat 900M1 to 9030, 850 to 8550 and 700 to 7099 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Enc ...
In Apache Tomcat 900M1 to 9030, 850 to 8550 and 700 to 7099 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Enc ...
Support My AccountForcepoint Support Site Guest User (Logout)Community My Account Visitor(login)Community CVE-2020-1938 GhostCat Vulnerability Article Number: 000018077 Products: All Version: A ...
The host name verification when using TLS with the WebSocket client was missing It is now enabled by default Versions Affected: Apache Tomcat 900M1 to 909, 850 to 8531, 800RC1 to 8052, and 7035 to 7088 (CVE-2018-8034 ) The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in A ...

Github Repositories

Tomcat的文件包含及文件读取漏洞利用POC

Learnings on how to verify if vulnerable to Ghostcat (aka CVE-2020-1938)

在一定条件下可执行命令

Test Explo for Ghostcat CVE-2020-1938

No description, website, or topics provided.

批量扫描TomcatAJP漏洞

CVE-2020-1938漏洞复现

批量扫描TomcatAJP漏洞

CNVD-2020-10487 OR CVE-2020-1938 批量验证脚本,批量验证,并自动截图,方便提交及复核

CVE-2020-1938(GhostCat) clean and readable code version

No description, website, or topics provided.

No description, website, or topics provided.

CVE-2020-1938

CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc

CNVD-2020-10487(CVE-2020-1938), tomcat ajp lfi poc

CNVD-2020-10487 OR CVE-2020-1938 批量验证脚本,批量验证,并自动截图,方便提交及复核

CVE-2020-1938 / CNVD-2020-1048 Detection Tools

Java安全相关的漏洞和技术demo,其中包括原生Java、Fastjson、Jackson、Hessian2以及XML反序列化漏洞利用和Dubbo(Hessian2反序列化)、Shiro(PaddingOracleCBC)等框架的exploits,并且还有Java Security Manager绕过、Dubbo-Hessian2安全加固等等实践代码。

No description, website, or topics provided.

CVE-2020-1938

CNVD-2020-10487 OR CVE-2020-1938 批量验证脚本,批量验证,并自动截图,方便提交及复核

This is an open source Snort rules repository

No description, website, or topics provided.

exp for CNVD-2020-10487(CVE-2020-1938)

基于 Knownsec 404 Team 编写的 pocsuite3 框架收集整理漏洞相关POC,用于安全测试。

tomcat ajp read and execute file,CNVD-2020-10487(CVE-2020-1938)

利用任意文件下载漏洞自动循环下载并反编译class文件获得网站源码

批量检测幽灵猫漏洞

No description, website, or topics provided.

No description, website, or topics provided.

第1.5阶段:武器积累

CMS、中间件漏洞检测利用合集 Since 2019-9-15

CVE-2019-0193 RCE

Recent Articles

Apache Tomcat Exploit Poised to Pounce, Stealing Files
Threatpost • Tara Seals • 23 Mar 2020

A vulnerability in the popular Apache Tomcat web server is ripe for active attack, thanks to a proof-of-concept (PoC) exploit making an appearance on GitHub. The now-patched bug affects Tomcat versions 7.0, 8.5 and 9.0.
According to Flashpoint analysts Cheng Lu and Steven Ouellette, an exploit for the “Ghostcat,” security bug (tracked as CVE-2020-1938 and first publicly disclosed Feb. 20) reliably allows information disclosure via file retrieval on a vulnerable server – without authe...

Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now
BleepingComputer • Sergiu Gatlan • 02 Mar 2020

Image: Chaitin Tech / vargazs
Ongoing scans for Apache Tomcat servers unpatched against the Ghostcat vulnerability that allows potential attackers to take over servers have been detected over the weekend.
As cyber threat intelligence firm Bad Packets said on Saturday, "mass scanning activity targeting this vulnerability has already begun. PATCH NOW!"
Ghostcat is a high-risk file read/include vulnerability tracked as CVE-2020-1938 and present in the Apache JServ Protocol (AJP) o...

References

CWE-20https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3Ehttps://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2020/03/msg00006.htmlhttps://security.netapp.com/advisory/ntap-20200226-0002/https://access.redhat.com/errata/RHSA-2020:0912https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_readhttps://nvd.nist.govhttps://exchange.xforce.ibmcloud.com/vulnerabilities/176562