CVE-2020-1938 vulnerability in Apache and Other Products
Published on February 24, 2020
Known Exploited Vulnerability
This Apache Tomcat Improper Privilege Management Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited.
The following remediation steps are recommended / required by March 17, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2020-1938 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Products Associated with CVE-2020-1938
You can be notified by stack.watch whenever vulnerabilities like CVE-2020-1938 are published in these products:
What versions are vulnerable to CVE-2020-1938?
- Apache Tomcat Version 7.0.0 through 7.0.99
- Apache Tomcat Version 8.5.0 through 8.5.50
- Apache Tomcat Version 9.0.0 through 9.0.30
- Apache Geode Version 1.12.0
- Fedora Project Fedora Version 30
- Fedora Project Fedora Version 31
- Fedora Project Fedora Version 32
- Oracle Transportation Management Version 6.3.7
- Oracle Hospitality Guest Access Version 4.2.0
- Oracle Hospitality Guest Access Version 4.2.1
- Oracle Agile Plm Version 9.3.3
- Oracle Agile Plm Version 9.3.5
- Oracle Agile Plm Version 9.3.6
- Oracle Instantis Enterprisetrack Version 17.1 through 17.3
- Oracle Mysql Enterprise Monitor Up to Version 4.0.12
- Oracle Health Sciences Empirica Signal Version 7.3.3
- Oracle Agile Engineering Data Management Version 6.2.1.0
- Oracle Communications Element Manager Version 8.1.1
- Oracle Communications Element Manager Version 8.2.0
- Oracle Communications Element Manager Version 8.2.1
- Oracle Communications Instant Messaging Server Version 10.0.1.4.0
- Oracle Health Sciences Empirica Inspections Version 1.0.1.2
- Oracle Mysql Enterprise Monitor Version 8.0.0 through 8.0.20
- Oracle Siebel Ui Framework Up to Version 20.5
- Oracle Workload Manager Version 12.2.0.1
- Oracle Workload Manager Version 18c
- Oracle Workload Manager Version 19c
- Debian Linux Version 8.0
- Debian Linux Version 9.0
- Debian Linux Version 10.0
- OpenSuse Leap Version 15.1
- Blackberry Good Control Up to Version 5.2.58.38
- Blackberry Workspaces Server Version 7.0.1
- Blackberry Workspaces Server Version 7.1.2
- Blackberry Workspaces Server Version 9.0
- Blackberry Workspaces Server Version 8.1.0