Vulnerability-Lookup

RHSA-2020:2783

Vulnerability from csaf_redhat - Published: 2020-07-01 11:21 - Updated: 2026-02-23 19:17

Summary

Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.23 security update

Severity

Important

Notes

Topic: An update is now available for Red Hat JBoss Enterprise Application Platform 6.4. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.23 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.22, and includes bug fixes and enhancements, which are documented in the Release Notes document listed in the References section. Security Fix(es): * jbossweb: tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938) * JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command (CVE-2019-14885) For more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2019-14885

A flaw was found in the JBoss EAP Vault system. Confidential information of the system property’s security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information.

5.4 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-532 - Insertion of Sensitive Information into Log File

Vendor Fix Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications. The References section of this erratum contains a download link (you must log in to download the update). You must restart the JBoss server process for the update to take effect. https://access.redhat.com/errata/RHSA-2020:2783

CVE-2020-1938

CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. This is enabled by default with a default configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).

7.6 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE-285 - Improper Authorization

Workaround Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251

References

URL

Category

	https://access.redhat.com/errata/RHSA-2020:2783	self
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/documentation/en-US/JBo…	external
	https://access.redhat.com/jbossnetwork/restricted…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1700855	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1708467	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1770615	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1772542	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1806398	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1816579	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1816629	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1819214	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2019-14885	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1770615	external
	https://www.cve.org/CVERecord?id=CVE-2019-14885	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-14885	external
	https://access.redhat.com/security/cve/CVE-2020-1938	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1806398	external
	https://www.cve.org/CVERecord?id=CVE-2020-1938	external
	https://nvd.nist.gov/vuln/detail/CVE-2020-1938	external
	https://meterpreter.org/cve-2020-1938-apache-tomc…	external
	https://tomcat.apache.org/security-7.html#Fixed_i…	external
	https://tomcat.apache.org/security-8.html#Fixed_i…	external
	https://tomcat.apache.org/security-9.html#Fixed_i…	external
	https://www.cnvd.org.cn/webinfo/show/5415	external
	https://www.tenable.com/blog/cve-2020-1938-ghostc…	external
	https://www.cisa.gov/known-exploited-vulnerabilit…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat JBoss Enterprise Application Platform 6.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server.\n\nThis release of Red Hat JBoss Enterprise Application Platform 6.4.23 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.22, and includes bug fixes and enhancements, which are documented in the Release Notes document listed in the References section.\n\nSecurity Fix(es):\n\n* jbossweb: tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938)\n\n* JBoss EAP: Vault system property security attribute value is revealed on CLI \u0027reload\u0027 command (CVE-2019-14885)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, see the CVE page(s) listed in the References section.\n\nAll users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:2783",
        "url": "https://access.redhat.com/errata/RHSA-2020:2783"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html",
        "url": "https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.4/index.html"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform\u0026downloadType=securityPatches\u0026version=6.4"
      },
      {
        "category": "external",
        "summary": "1700855",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1700855"
      },
      {
        "category": "external",
        "summary": "1708467",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1708467"
      },
      {
        "category": "external",
        "summary": "1770615",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1770615"
      },
      {
        "category": "external",
        "summary": "1772542",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1772542"
      },
      {
        "category": "external",
        "summary": "1806398",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1806398"
      },
      {
        "category": "external",
        "summary": "1816579",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816579"
      },
      {
        "category": "external",
        "summary": "1816629",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1816629"
      },
      {
        "category": "external",
        "summary": "1819214",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1819214"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2783.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.23 security update",
    "tracking": {
      "current_release_date": "2026-02-23T19:17:41+00:00",
      "generator": {
        "date": "2026-02-23T19:17:41+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2020:2783",
      "initial_release_date": "2020-07-01T11:21:09+00:00",
      "revision_history": [
        {
          "date": "2020-07-01T11:21:09+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-07-01T11:21:09+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-23T19:17:41+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Enterprise Application Platform 6.4",
                "product": {
                  "name": "Red Hat JBoss Enterprise Application Platform 6.4",
                  "product_id": "Red Hat JBoss Enterprise Application Platform 6.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Enterprise Application Platform"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2019-14885",
      "cwe": {
        "id": "CWE-532",
        "name": "Insertion of Sensitive Information into Log File"
      },
      "discovery_date": "2019-10-28T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1770615"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the JBoss EAP Vault system. Confidential information of the system property\u2019s security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI \u0027reload\u0027 command. This flaw can lead to the exposure of confidential information.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "EAP: Vault system property security attribute value is revealed on CLI \u0027reload\u0027 command",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-14885"
        },
        {
          "category": "external",
          "summary": "RHBZ#1770615",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1770615"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-14885",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-14885"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14885",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14885"
        }
      ],
      "release_date": "2020-01-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-01T11:21:09+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nYou must restart the JBoss server process for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:2783"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "EAP: Vault system property security attribute value is revealed on CLI \u0027reload\u0027 command"
    },
    {
      "cve": "CVE-2020-1938",
      "cwe": {
        "id": "CWE-285",
        "name": "Improper Authorization"
      },
      "discovery_date": "2020-02-24T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1806398"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. This is enabled by default with a default configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1745",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Enterprise Application Platform 6.4"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2020-1938"
        },
        {
          "category": "external",
          "summary": "RHBZ#1806398",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1806398"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2020-1938",
          "url": "https://www.cve.org/CVERecord?id=CVE-2020-1938"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1938",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1938"
        },
        {
          "category": "external",
          "summary": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/",
          "url": "https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/"
        },
        {
          "category": "external",
          "summary": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100",
          "url": "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100"
        },
        {
          "category": "external",
          "summary": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51",
          "url": "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51"
        },
        {
          "category": "external",
          "summary": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31",
          "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31"
        },
        {
          "category": "external",
          "summary": "https://www.cnvd.org.cn/webinfo/show/5415",
          "url": "https://www.cnvd.org.cn/webinfo/show/5415"
        },
        {
          "category": "external",
          "summary": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487",
          "url": "https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2020-02-20T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-07-01T11:21:09+00:00",
          "details": "Before applying this update, back up your existing Red Hat JBoss Enterprise Application Platform installation and deployed applications.\n\nThe References section of this erratum contains a download link (you must log in to download the update).\n\nYou must restart the JBoss server process for the update to take effect.",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.4"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:2783"
        },
        {
          "category": "workaround",
          "details": "Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251",
          "product_ids": [
            "Red Hat JBoss Enterprise Application Platform 6.4"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "Red Hat JBoss Enterprise Application Platform 6.4"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2022-03-03T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability"
    }
  ]
}

CVE-2019-14885 (GCVE-0-2019-14885)

Vulnerability from cvelistv5 – Published: 2020-01-23 00:00 – Updated: 2024-08-05 00:26

Summary

A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information.

Severity ?

5.4 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE

CWE-532

Assigner

redhat

References

URL

	Vendor	Product	Version
	Red Hat	JBoss EAP	Affected: All versions before 7.2.6.GA

CVE-2020-1938 (GCVE-0-2020-1938)

Vulnerability from cvelistv5 – Published: 2020-02-24 21:19 – Updated: 2025-10-21 23:35

Summary

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

AJP Request Injection leading to possible Remote Code Execution

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread.html/r7c6f492fbd3…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r856cdd87eda…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r75113652e46…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rd0774c95699…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r74328b178f9…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rce2af55f6e1…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rad36ec6a1ff…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rb2fc890bef2…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r38a5b7943b9…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r17aaa3a05b5…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rd50baccd1bb…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r4afa11e0464…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r772335e6851…	mailing-listx_refsource_MLIST
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/re5eecbe5bf9…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r5e2f1201b92…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r549b43509e3…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r61f280a7690…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r4f86cb26019…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r9f119d9ce92…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r089dc67c035…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rbdb1d2b651a…	mailing-listx_refsource_MLIST
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://lists.apache.org/thread.html/rc068e824654…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rf26663f42e7…	mailing-listx_refsource_MLIST
	https://security.gentoo.org/glsa/202003-43	vendor-advisoryx_refsource_GENTOO
	https://lists.apache.org/thread.html/rcd5cd301e9e…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rf992c5adf37…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r6a5633cad1b…	mailing-listx_refsource_MLIST
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.apache.org/thread.html/r43faacf6457…	mailing-listx_refsource_MLIST
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://www.debian.org/security/2020/dsa-4673	vendor-advisoryx_refsource_DEBIAN
	https://www.debian.org/security/2020/dsa-4680	vendor-advisoryx_refsource_DEBIAN
	https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rb1c0fb105ce…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/ra7092f74925…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r8f748458945…	mailing-listx_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujul2020.html	x_refsource_MISC
	https://security.netapp.com/advisory/ntap-2020022…	x_refsource_CONFIRM
	http://support.blackberry.com/kb/articleDetail?ar…	x_refsource_CONFIRM
	https://lists.apache.org/thread.html/r92d78655c06…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/rf1bbc0ea4a9…	mailing-listx_refsource_MLIST
	https://www.oracle.com/security-alerts/cpuoct2020.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r57f5e4ced43…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r47caef01f66…	mailing-listx_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujan2021.html	x_refsource_MISC
	https://lists.apache.org/thread.html/r90890afea72…	mailing-listx_refsource_MLIST
	https://lists.apache.org/thread.html/r1125f3044a0…	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache	Apache Tomcat	Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.30 Affected: 8.5.0 to 8.5.50 Affected: 7.0.0 to 7.0.99

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T06:54:00.412Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[tomcat-announce] 20200224 [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200225 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-commits] 20200227 [ofbiz-plugins] branch release17.12 updated: Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (OFBIZ-11407)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200227 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200228 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200228 [jira] [Comment Edited] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200301 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200302 Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200302 AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200302 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200304 Re: Fix for CVE-2020-1938",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200304 Re: Tagging 10.0.x, 9.0.x, 8.5.x",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20200304 [SECURITY] [DLA 2133-1] tomcat7 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"
          },
          {
            "name": "[tomcat-users] 20200305 Aw: Re: Fix for CVE-2020-1938",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200305 Re: Aw: Re: Fix for CVE-2020-1938",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200309 [Bug 64206] Answer file not being used",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200309 Re: Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200310 Aw: Re: Re: Fix for CVE-2020-1938",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-users] 20200310 Re: Re: Re: Fix for CVE-2020-1938",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20200311 CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-dev] 20200311 Re: CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "openSUSE-SU-2020:0345",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"
          },
          {
            "name": "[tomee-dev] 20200316 RE: CVE-2020-8840 on TomEE 8.0.1",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E"
          },
          {
            "name": "[httpd-bugs] 20200319 [Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E"
          },
          {
            "name": "GLSA-202003-43",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202003-43"
          },
          {
            "name": "[tomee-commits] 20200320 [jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20200320 [jira] [Created] (TOMEE-2789) TomEE plus is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20200323 [jira] [Commented] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "FEDORA-2020-0e42878ba7",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/"
          },
          {
            "name": "FEDORA-2020-c870aa8378",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/"
          },
          {
            "name": "FEDORA-2020-04ac174fa9",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/"
          },
          {
            "name": "[tomcat-users] 20200413 RE: Alternatives for AJP",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E"
          },
          {
            "name": "openSUSE-SU-2020:0597",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html"
          },
          {
            "name": "DSA-4673",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4673"
          },
          {
            "name": "DSA-4680",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2020/dsa-4680"
          },
          {
            "name": "[debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
          },
          {
            "name": "[tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200628 [jira] [Updated] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "name": "[ofbiz-notifications] 20200628 [jira] [Created] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200226-0002/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000062739"
          },
          {
            "name": "[tomee-users] 20200723 Re: TomEE on Docker",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E"
          },
          {
            "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
          },
          {
            "name": "[tomee-commits] 20201127 [jira] [Resolved] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "name": "[tomee-commits] 20201127 [jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
          },
          {
            "name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2020-1938",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T21:05:38.047118Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-03-03",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1938"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:35:50.835Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1938"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-03-03T00:00:00.000Z",
            "value": "CVE-2020-1938 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Tomcat",
          "vendor": "Apache",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Tomcat 9.0.0.M1 to 9.0.0.30"
            },
            {
              "status": "affected",
              "version": "8.5.0 to 8.5.50"
            },
            {
              "status": "affected",
              "version": "7.0.0 to 7.0.99"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "AJP Request Injection leading to possible Remote Code Execution",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-24T03:06:28.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "[tomcat-announce] 20200224 [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E"
        },
        {
          "name": "[ofbiz-notifications] 20200225 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E"
        },
        {
          "name": "[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E"
        },
        {
          "name": "[ofbiz-commits] 20200227 [ofbiz-plugins] branch release17.12 updated: Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (OFBIZ-11407)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E"
        },
        {
          "name": "[ofbiz-notifications] 20200227 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E"
        },
        {
          "name": "[ofbiz-notifications] 20200228 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E"
        },
        {
          "name": "[ofbiz-notifications] 20200228 [jira] [Comment Edited] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200301 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200302 Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200302 AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200302 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200304 Re: Fix for CVE-2020-1938",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200304 Re: Tagging 10.0.x, 9.0.x, 8.5.x",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[debian-lts-announce] 20200304 [SECURITY] [DLA 2133-1] tomcat7 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"
        },
        {
          "name": "[tomcat-users] 20200305 Aw: Re: Fix for CVE-2020-1938",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200305 Re: Aw: Re: Fix for CVE-2020-1938",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200309 [Bug 64206] Answer file not being used",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200309 Re: Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200310 Aw: Re: Re: Fix for CVE-2020-1938",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-users] 20200310 Re: Re: Re: Fix for CVE-2020-1938",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20200311 CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-dev] 20200311 Re: CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "openSUSE-SU-2020:0345",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"
        },
        {
          "name": "[tomee-dev] 20200316 RE: CVE-2020-8840 on TomEE 8.0.1",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E"
        },
        {
          "name": "[httpd-bugs] 20200319 [Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E"
        },
        {
          "name": "GLSA-202003-43",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202003-43"
        },
        {
          "name": "[tomee-commits] 20200320 [jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-commits] 20200320 [jira] [Created] (TOMEE-2789) TomEE plus is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-commits] 20200323 [jira] [Commented] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "name": "FEDORA-2020-0e42878ba7",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/"
        },
        {
          "name": "FEDORA-2020-c870aa8378",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/"
        },
        {
          "name": "FEDORA-2020-04ac174fa9",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/"
        },
        {
          "name": "[tomcat-users] 20200413 RE: Alternatives for AJP",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E"
        },
        {
          "name": "openSUSE-SU-2020:0597",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html"
        },
        {
          "name": "DSA-4673",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4673"
        },
        {
          "name": "DSA-4680",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2020/dsa-4680"
        },
        {
          "name": "[debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
        },
        {
          "name": "[tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[ofbiz-notifications] 20200628 [jira] [Updated] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E"
        },
        {
          "name": "[ofbiz-notifications] 20200628 [jira] [Created] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200226-0002/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000062739"
        },
        {
          "name": "[tomee-users] 20200723 Re: TomEE on Docker",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E"
        },
        {
          "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
        },
        {
          "name": "[tomee-commits] 20201127 [jira] [Resolved] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "name": "[tomee-commits] 20201127 [jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
        },
        {
          "name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E"
        },
        {
          "name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2020-1938",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Tomcat",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Tomcat 9.0.0.M1 to 9.0.0.30"
                          },
                          {
                            "version_value": "8.5.0 to 8.5.50"
                          },
                          {
                            "version_value": "7.0.0 to 7.0.99"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "AJP Request Injection leading to possible Remote Code Execution"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[tomcat-announce] 20200224 [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200225 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200225 [jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-commits] 20200227 [ofbiz-plugins] branch release17.12 updated: Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (OFBIZ-11407)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200227 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200228 [jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200228 [jira] [Comment Edited] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200301 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200302 Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200302 AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200302 Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200304 Re: Fix for CVE-2020-1938",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20200304 Re: Tagging 10.0.x, 9.0.x, 8.5.x",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20200304 [SECURITY] [DLA 2133-1] tomcat7 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"
            },
            {
              "name": "[tomcat-users] 20200305 Aw: Re: Fix for CVE-2020-1938",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200305 Re: Aw: Re: Fix for CVE-2020-1938",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20200309 [Bug 64206] Answer file not being used",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200309 Re: Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200310 Aw: Re: Re: Fix for CVE-2020-1938",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-users] 20200310 Re: Re: Re: Fix for CVE-2020-1938",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20200311 CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-dev] 20200311 Re: CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "openSUSE-SU-2020:0345",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"
            },
            {
              "name": "[tomee-dev] 20200316 RE: CVE-2020-8840 on TomEE 8.0.1",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E"
            },
            {
              "name": "[httpd-bugs] 20200319 [Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E"
            },
            {
              "name": "GLSA-202003-43",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202003-43"
            },
            {
              "name": "[tomee-commits] 20200320 [jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-commits] 20200320 [jira] [Created] (TOMEE-2789) TomEE plus is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-commits] 20200323 [jira] [Commented] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E"
            },
            {
              "name": "FEDORA-2020-0e42878ba7",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/"
            },
            {
              "name": "FEDORA-2020-c870aa8378",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/"
            },
            {
              "name": "FEDORA-2020-04ac174fa9",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/"
            },
            {
              "name": "[tomcat-users] 20200413 RE: Alternatives for AJP",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E"
            },
            {
              "name": "openSUSE-SU-2020:0597",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html"
            },
            {
              "name": "DSA-4673",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4673"
            },
            {
              "name": "DSA-4680",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2020/dsa-4680"
            },
            {
              "name": "[debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
            },
            {
              "name": "[tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200628 [jira] [Updated] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "[ofbiz-notifications] 20200628 [jira] [Created] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujul2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200226-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200226-0002/"
            },
            {
              "name": "http://support.blackberry.com/kb/articleDetail?articleNumber=000062739",
              "refsource": "CONFIRM",
              "url": "http://support.blackberry.com/kb/articleDetail?articleNumber=000062739"
            },
            {
              "name": "[tomee-users] 20200723 Re: TomEE on Docker",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E"
            },
            {
              "name": "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
            },
            {
              "name": "[tomee-commits] 20201127 [jira] [Resolved] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E"
            },
            {
              "name": "[tomee-commits] 20201127 [jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2021.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2021.html"
            },
            {
              "name": "[announce] 20210125 Apache Software Foundation Security Report: 2020",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E"
            },
            {
              "name": "[announce] 20210223 Re: Apache Software Foundation Security Report: 2020",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2020-1938",
    "datePublished": "2020-02-24T21:19:18.000Z",
    "dateReserved": "2019-12-02T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:35:50.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2020:2783

CVE-2019-14885 (GCVE-0-2019-14885)

CVE-2020-1938 (GCVE-0-2020-1938)

Tags

Sightings

Nomenclature