← Back to all briefings
Infrastructure 5 min read Published Updated Credibility 40/100

Apache Tomcat AJP vulnerability (CVE-2020-1938 'Ghostcat') patched

Apache released fixes for CVE-2020-1938, an AJP request injection flaw dubbed Ghostcat that allows file reads and potential remote code execution on default Tomcat installations.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: The Apache Tomcat project issued security updates on to remediate CVE-2020-1938, a flaw in the Apache JServ Protocol (AJP) connector that can allow unauthenticated file read and, in certain configurations, remote code execution. Fixed versions include Tomcat 9.0.31, 8.5.51, and 7.0.100.

Operator action: Upgrade Tomcat to the patched releases, disable or firewall the AJP connector where not required, and configure the secretRequired and secret attributes for any remaining AJP listeners. Validate application server images and container base layers to ensure vulnerable builds are not redeployed.

Sources: The Apache advisory and Tomcat release notes outline affected versions, mitigation steps, and patched builds.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Infrastructure pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Apache Tomcat
  • CVE-2020-1938
  • AJP
Back to curated briefings