CVE-2020-1938 – Apache Tomcat AJP Request Injection and potential Remote Code Execution

Published by Apache: 2020-02-24
MITRE CVE-2020-3158

“When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising.”

There is not enough details available yet, but the vulnerability has at least a CVSS Base score of 8.1, High. This depends on how hard it is to exploit, etc.

There is proof of concept published, but as of writing no known public exploitation of this vulnerability.

Basefarm customers will be upgraded as part of normal patching routines.