Analysis of Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) and Mitigation

Security advisory CNTA-2020-0004 reports the high‑severity Apache Tomcat AJP file‑inclusion vulnerability (CVE‑2020‑1938), which allows an attacker to read arbitrary files and achieve remote code execution on affected Tomcat installations.

Affected versions include Tomcat 6, Tomcat 7 < 7.0.100, Tomcat 8 < 8.5.51, and Tomcat 9 < 9.0.31.

The flaw resides in the AJP Connector configuration (port 8009, protocol AJP/1.3). The connector processes requests via

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>

and forwards attributes that are not validated, enabling crafted requests to set servlet include attributes such as javax.servlet.include.request_uri, javax.servlet.include.path_info, and javax.servlet.include.servlet_path.

During request handling, org.apache.coyote.ajp.AbstractAjpProcessor.prepareRequest() checks the attribute list, and the unchecked attributes are later used by org.apache.catalina.servlets.DefaultServlet.serveResource() to construct file paths, leading to arbitrary file read (e.g., /WEB-INF/web.xml) and, when a malicious JSP can be uploaded, remote code execution via org.apache.jasper.servlet.JspServlet.service().

Mitigation: upgrade Tomcat to a patched version—Tomcat 7 7.0.100, Tomcat 8 8.5.51, or Tomcat 9 9.0.31—or later releases. Tomcat 6 is no longer maintained and should be replaced.

Download links: Tomcat 7 https://tomcat.apache.org/download-70.cgi , Tomcat 8 https://tomcat.apache.org/download-80.cgi , Tomcat 9 https://tomcat.apache.org/download-90.cgi .