Ghostcat: Apache Tomcat File Read/Inclusion Flaw in AJP Connector (CVE-2020-1938)

Recently, the China National Vulnerability Database (CNVD) published an advisory for a severe vulnerability in Apache Tomcat’s Apache JServ Protocol, also known as AJP. The vulnerability is identified as CVE-2020-1938 or CNVD-2020-10487 and was reported to the Apache Software Foundation on January 3, 2020. It was discovered by Chaitin Tech, who have called the vulnerability Ghostcat.

AJP is enabled by default in the /conf/server.xml file in Apache Tomcat versions 6, 7, 8 and 9, leaving all unpatched versions of Tomcat vulnerable.

Several researchers have analyzed the vulnerability and published proof-of-concept exploit scripts to GitHub.

For more information about the vulnerability, proof of concept exploit scripts, patches and plugin coverage, please visit our blog.