Vulnerability Details : CVE-2020-1938
Public exploit exists!
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
Vulnerability category: Execute code
Products affected by CVE-2020-1938
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- Oracle » Mysql Enterprise MonitorVersions from including (>=) 8.0.0 and up to, including, (<=) 8.0.20cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
- Oracle » Instantis EnterprisetrackVersions from including (>=) 17.1 and up to, including, (<=) 17.3cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:health_sciences_empirica_signal:7.3.3:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:workspaces_server:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:workspaces_server:7.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:workspaces_server:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:workspaces_server:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:good_control:*:*:*:*:*:*:*:*
- Netapp » Oncommand System ManagerVersions from including (>=) 3.0.0 and up to, including, (<=) 3.1.3cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:data_availability_services:-:*:*:*:*:*:*:*
Threat overview for CVE-2020-1938
Top countries where our scanners detected CVE-2020-1938
Top open port discovered on systems with this issue
80
IPs affected by CVE-2020-1938 304,420
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-1938!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
CVE-2020-1938 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Apache Tomcat Improper Privilege Management Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2020-1938
Added on
2022-03-03
Action due date
2022-03-17
Exploit prediction scoring system (EPSS) score for CVE-2020-1938
97.40%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2020-1938
-
Apache Tomcat AJP File Read
Disclosure Date: 2020-02-20First seen: 2020-11-30auxiliary/admin/http/tomcat_ghostcatWhen using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they
CVSS scores for CVE-2020-1938
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-02-06 |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2020-1938
-
https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e%40%3Cusers.tomcat.apache.org%3E
AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f%40%3Cusers.tomcat.apache.org%3E
Aw: Re: Re: Fix for CVE-2020-1938-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1@%3Cusers.tomcat.apache.org%3E
Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution - Pony MailMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpuoct2020.html
Oracle Critical Patch Update Advisory - October 2020Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
Re: Apache Software Foundation Security Report: 2020-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca@%3Cbugs.httpd.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E
Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E
[jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3%40%3Ccommits.tomee.apache.org%3E
[jira] [Created] (TOMEE-2789) TomEE plus is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66e08f949f0396ab1%40%3Cusers.tomcat.apache.org%3E
Re: AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r856cdd87eda7af40b50278d6de80ee4b42d63adeb433a34a7bdaf9db%40%3Cnotifications.ofbiz.apache.org%3E
[jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
[jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E
[jira] [Created] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://security.gentoo.org/glsa/202003-43
Apache Tomcat: Multiple vulnerabilities (GLSA 202003-43) — Gentoo securityThird Party Advisory
-
https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425%40%3Cnotifications.ofbiz.apache.org%3E
[jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E
[jira] [Updated] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c@%3Cusers.tomcat.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Updated] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6%40%3Cdev.tomcat.apache.org%3E
[Bug 64206] Answer file not being used-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb@%3Ccommits.tomee.apache.org%3E
[jira] [Commented] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability. - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9@%3Cusers.tomcat.apache.org%3E
Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution - Pony MailMailing List;Vendor Advisory
-
https://www.debian.org/security/2020/dsa-4680
Debian -- Security Information -- DSA-4680-1 tomcat9Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
[SECURITY] [DLA 2133-1] tomcat7 security updateThird Party Advisory
-
https://www.debian.org/security/2020/dsa-4673
Debian -- Security Information -- DSA-4673-1 tomcat8Third Party Advisory
-
https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b%40%3Cusers.tomcat.apache.org%3E
Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution-Apache Mail ArchivesIssue Tracking;Mailing List
-
https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E
svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rf26663f42e7f1a1d1cac732469fb5e92c89908a48b61ec546dbb79ca%40%3Cbugs.httpd.apache.org%3E
[Bug 53098] mod_proxy_ajp: patch to set worker secret passed to tomcat-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a%40%3Cdev.tomee.apache.org%3E
Re: CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E
AW: [SECURITY] CVE-2020-1938 AJP Request Injection and potentialRemote Code Execution - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864@%3Cusers.tomcat.apache.org%3E
Re: Fix for CVE-2020-1938 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b%40%3Cusers.tomcat.apache.org%3E
Re: Aw: Re: Fix for CVE-2020-1938-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2%40%3Cdev.tomee.apache.org%3E
RE: CVE-2020-8840 on TomEE 8.0.1-Apache Mail ArchivesMailing List
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2@%3Cusers.tomcat.apache.org%3E
Aw: Re: Fix for CVE-2020-1938 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rce2af55f6e144ffcdc025f997eddceb315dfbc0b230e3d750a7f7425@%3Cnotifications.ofbiz.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html
[security-announce] openSUSE-SU-2020:0597-1: important: Security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/re5eecbe5bf967439bafeeaa85987b3a43f0e6efe06b6976ee768cde2%40%3Cusers.tomcat.apache.org%3E
Aw: Re: Fix for CVE-2020-1938-Apache Mail ArchivesIssue Tracking;Mailing List
-
https://lists.apache.org/thread.html/r6a5633cad1b560a1e51f5b425f02918bdf30e090fdf18c5f7c2617eb%40%3Ccommits.tomee.apache.org%3E
[jira] [Commented] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d%40%3Cdev.tomcat.apache.org%3E
Re: Tagging 10.0.x, 9.0.x, 8.5.x-Apache Mail ArchivesIssue Tracking;Mailing List
-
https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194@%3Ccommits.tomee.apache.org%3E
[jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability. - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f%40%3Cusers.tomcat.apache.org%3E
Re: Re: Re: Fix for CVE-2020-1938-Apache Mail ArchivesMailing List;Patch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/
[SECURITY] Fedora 30 Update: tomcat-9.0.31-2.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e@%3Cdev.tomee.apache.org%3E
CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794%40%3Cnotifications.ofbiz.apache.org%3E
[jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E
svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml-Apache Mail ArchivesMailing List;Patch
-
https://lists.apache.org/thread.html/rbdb1d2b651a3728f0ceba9e0853575b6f90296a94a71836a15f7364a@%3Cdev.tomee.apache.org%3E
Re: CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7@%3Ccommits.ofbiz.apache.org%3E
[ofbiz-plugins] branch release17.12 updated: Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (OFBIZ-11407) - Pony MailMailing List;Patch;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/
[SECURITY] Fedora 31 Update: tomcat-9.0.31-2.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
Pony Mail!Mailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Created] (OFBIZ-11847) CLONE - Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97@%3Ccommits.tomee.apache.org%3E
[jira] [Resolved] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability. - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rf992c5adf376294af31378a70aa8a158388a41d7039668821be28df3@%3Ccommits.tomee.apache.org%3E
[jira] [Created] (TOMEE-2789) TomEE plus is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability. - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d%40%3Cnotifications.ofbiz.apache.org%3E
[jira] [Updated] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a%40%3Cusers.tomee.apache.org%3E
Re: TomEE on Docker-Apache Mail ArchivesMailing List
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/
[SECURITY] Fedora 32 Update: tomcat-9.0.31-2.fc32 - package-announce - Fedora Mailing-ListsRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/
[SECURITY] Fedora 30 Update: tomcat-9.0.31-2.fc30 - package-announce - Fedora Mailing-ListsRelease Notes
-
http://support.blackberry.com/kb/articleDetail?articleNumber=000062739
BSRT-2020-001 Local File Inclusion Vulnerability in Apache Tomcat Impacts BlackBerry Workspaces Server and BlackBerry Good ControlThird Party Advisory
-
https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522%40%3Cnotifications.ofbiz.apache.org%3E
[jira] [Comment Edited] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938)-Apache Mail ArchivesExploit;Mailing List
-
https://lists.apache.org/thread.html/rd0774c95699d5aeb5e16e9a600fb2ea296e81175e30a62094e27e3e7%40%3Ccommits.ofbiz.apache.org%3E
[ofbiz-plugins] branch release17.12 updated: Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) (OFBIZ-11407)-Apache Mail ArchivesMailing List;Patch
-
https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
[SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r74328b178f9f37fe759dffbc9c1f2793e66d79d7a8a20d3836551794@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Commented] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) - Pony MailMailing List;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/
[SECURITY] Fedora 32 Update: tomcat-9.0.31-2.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E
Re: Apache Software Foundation Security Report: 2020 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/rad36ec6a1ffc9e43266b030c22ceeea569243555d34fb4187ff08522@%3Cnotifications.ofbiz.apache.org%3E
[jira] [Comment Edited] (OFBIZ-11407) Upgrade Tomcat from 9.0.29 to 9.0.31 (CVE-2020-1938) - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a54836b7ee2d839d8e%40%3Cdev.tomee.apache.org%3E
CVE-2020-1938 on Tomcat 9.0.30 / TomEE 8.0.1-Apache Mail ArchivesMailing List
-
https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
[SECURITY] [DLA 2209-1] tomcat8 security updateThird Party Advisory
-
https://lists.apache.org/thread.html/rc068e824654c4b8bd4f2490bec869e29edbfcd5dfe02d47cbf7433b2@%3Cdev.tomee.apache.org%3E
RE: CVE-2020-8840 on TomEE 8.0.1 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2020 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E
Re: Tagging 10.0.x, 9.0.x, 8.5.x - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E
RE: Alternatives for AJP - Pony MailMailing List;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
[security-announce] openSUSE-SU-2020:0345-1: important: Security updateThird Party Advisory
-
https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bf974814cc48ca97%40%3Ccommits.tomee.apache.org%3E
[jira] [Resolved] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197b9395e9a6796e7c%40%3Cusers.tomcat.apache.org%3E
Re: Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/rb2fc890bef23cbc7f343900005fe1edd3b091cf18dada455580258f9%40%3Cusers.tomcat.apache.org%3E
Re: [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution-Apache Mail ArchivesIssue Tracking;Mailing List
-
https://lists.apache.org/thread.html/r9f119d9ce9239114022e13dbfe385b3de7c972f24f05d6dbd35c1a2f@%3Cusers.tomcat.apache.org%3E
Re: Re: Re: Fix for CVE-2020-1938 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299b87895c0ddbe02b@%3Cusers.tomcat.apache.org%3E
Re: Aw: Re: Fix for CVE-2020-1938 - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fe02007d5b8d6f6@%3Cdev.tomcat.apache.org%3E
[Bug 64206] Answer file not being used - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a66398b1491254f7864%40%3Cusers.tomcat.apache.org%3E
Re: Fix for CVE-2020-1938-Apache Mail ArchivesIssue Tracking;Mailing List
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/
[SECURITY] Fedora 31 Update: tomcat-9.0.31-2.fc31 - package-announce - Fedora Mailing-ListsRelease Notes
-
https://lists.apache.org/thread.html/rcd5cd301e9e7e39f939baf2f5d58704750be07a5e2d3393e40ca7194%40%3Ccommits.tomee.apache.org%3E
[jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability.-Apache Mail ArchivesMailing List
-
https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E
Aw: Re: Re: Fix for CVE-2020-1938 - Pony MailMailing List;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20200226-0002/
CVE-2020-1938 Apache Tomcat Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r92d78655c068d0bc991d1edbdfb24f9c5134603e647cade1113d4e0a@%3Cusers.tomee.apache.org%3E
Re: TomEE on Docker - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda@%3Ccommits.tomee.apache.org%3E
[jira] [Updated] (TOMEE-2789) TomEE plus(7.0.7) is affected by CVE-2020-1938(BDSA-2020-0339) vulnerability. - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922%40%3Cannounce.apache.org%3E
Apache Software Foundation Security Report: 2020-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65%40%3Cusers.tomcat.apache.org%3E
RE: Alternatives for AJP-Apache Mail ArchivesMailing List
Jump to