CVE-2020-1938

Exp

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Published: 2020-02-24 Last update: 2025-10-27 Assigner: [email protected] Source: [email protected]
NVD Status:AnalyzedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2020-1938 is rated Critical Active Threat (99.4/100): CVSS Critical severity, with high exploitation likelihood (EPSS 94.47%, 100th percentile). CISA KEV confirms active exploitation (added 2022-03-03) affecting Apache / Tomcat. Unauthenticated remote administrative access may be possible. The CISA remediation deadline has passed—treat as an emergency patch priority.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

CISA KEV Record for CVE-2020-1938

Name: Apache Tomcat Improper Privilege Management Vulnerability · CISA KEV detail

Exploit added: 2022-03-03

Action due: 2022-03-17

Required action: Apply updates per vendor instructions.

Public exploit references (Exploit-DB) for CVE-2020-1938

EDB-ID Source Kind Published Link
49039 exploit_db edb 2020-11-13 Exploit-DB ↗
48143 exploit_db edb 2020-02-20 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2020-1938

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 94.27% 94.47% +0.20%
2 2025-11-18 94.47% 94.27% -0.20%
3 2025-03-17 94.47%

Full EPSS history (11 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-1938

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 [email protected]
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 134c704f-9b21-4f2e-91b3-4a467353bcc0
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2020-1938

GitHub Security Advisory for CVE-2020-1938

GHSA-c9hw-wf7x-jp9j · Severity: critical · Ecosystem: maven — Improper Privilege Management in Tomcat

OS Trackers for CVE-2020-1938

vendor priority summary link
debian not yet assigned CVE-2020-1938 not yet assigned priority: Debian including 1 source packages (tomcat9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2020-1938
gentoo normal CVE-2020-1938: 1 GLSA(s) (202003-43), 1 atom(s) (www-servers/tomcat); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2020-1938
redhat high https://access.redhat.com/security/cve/CVE-2020-1938
suse high CVE-2020-1938 severity important: SUSE including 386 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 750 product×package rows across 39 product lines (HPE Helion OpenStack 8, SUSE Enterprise Storage 5, … (39 product lines)): Fixed 512, Known Affected 231, Known Not Affected 7. https://www.suse.com/security/cve/CVE-2020-1938/
ubuntu low CVE-2020-1938 low priority: Ubuntu including 3 source packages (tomcat7, tomcat8, tomcat9), 42 status rows across 14 suites (bionic, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, trusty, upstream, xenial): DNE 23, not-affected 9, ignored 7, needs-triage 2, released 1. https://ubuntu.com/security/CVE-2020-1938

Affected software / configurations for CVE-2020-1938

Vendor Product Version Raw CPE
apache geode 1.12.0 cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
apache tomcat >= 7.0.0, < 7.0.100 cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apache tomcat >= 8.5.0, < 8.5.51 cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
apache tomcat >= 9.0.0, < 9.0.31 cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
fedoraproject fedora 30 cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
fedoraproject fedora 31 cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
fedoraproject fedora 32 cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
oracle agile_engineering_data_management 6.2.1.0 cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
oracle agile_plm 9.3.3 cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
oracle agile_plm 9.3.5 cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
oracle agile_plm 9.3.6 cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
oracle communications_element_manager 8.1.1 cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
oracle communications_element_manager 8.2.0 cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
oracle communications_element_manager 8.2.1 cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
oracle communications_instant_messaging_server 10.0.1.4.0 cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
oracle health_sciences_empirica_inspections 1.0.1.2 cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:*
oracle health_sciences_empirica_signal 7.3.3 cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:*:*:*:*:*:*:*
oracle hospitality_guest_access 4.2.0 cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
oracle hospitality_guest_access 4.2.1 cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
oracle instantis_enterprisetrack >= 17.1, <= 17.3 cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor <= 4.0.12 cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle mysql_enterprise_monitor >= 8.0.0, <= 8.0.20 cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
oracle siebel_ui_framework <= 20.5 cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
oracle transportation_management 6.3.7 cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*
oracle workload_manager 12.2.0.1 cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*
oracle workload_manager 18c cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*
oracle workload_manager 19c cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*
debian debian_linux 8.0 cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
opensuse leap 15.1 cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
blackberry good_control <= 5.2.58.38 cpe:2.3:a:blackberry:good_control:*:*:*:*:*:*:*:*
blackberry workspaces_server 7.0.1 cpe:2.3:a:blackberry:workspaces_server:7.0.1:*:*:*:*:*:*:*
blackberry workspaces_server 7.1.2 cpe:2.3:a:blackberry:workspaces_server:7.1.2:*:*:*:*:*:*:*
blackberry workspaces_server 8.1.0 cpe:2.3:a:blackberry:workspaces_server:8.1.0:*:*:*:*:*:*:*
blackberry workspaces_server 9.0 cpe:2.3:a:blackberry:workspaces_server:9.0:*:*:*:*:*:*:*
netapp data_availability_services cpe:2.3:a:netapp:data_availability_services:-:*:*:*:*:*:*:*
netapp oncommand_system_manager >= 3.0.0, <= 3.1.3 cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*

References for CVE-2020-1938

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html Mailing List Third Party Advisory
http://support.blackberry.com/kb/articleDetail?articleNumber=000062739 Third Party Advisory
https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E Issue Tracking Mailing List
https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E Issue Tracking Mailing List
https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E Mailing List Patch
https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E Exploit Mailing List
https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E Mailing List Patch
https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E Issue Tracking Mailing List
https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E Mailing List Patch
https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E Issue Tracking Mailing List
https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E Issue Tracking Mailing List
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E Mailing List Vendor Advisory
https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E Mailing List Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/ Release Notes
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/ Release Notes
https://security.gentoo.org/glsa/202003-43 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200226-0002/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4673 Third Party Advisory
https://www.debian.org/security/2020/dsa-4680 Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html Patch Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1938 US Government Resource
cvelogic Threat Intelligence