BestHub
Sign in
Information Security 6 min read

How the Apache Tomcat AJP File Inclusion (CVE‑2020‑1938) Works and How to Fix It

This article explains the background, affected versions, technical analysis, exploitation steps, and remediation recommendations for the Apache Tomcat AJP file inclusion vulnerability (CVE‑2020‑1938), providing detailed code insights and practical upgrade guidance.

Programmer DD
Programmer DD
Programmer DD
How the Apache Tomcat AJP File Inclusion (CVE‑2020‑1938) Works and How to Fix It

0x01 Vulnerability Background

On February 20, 2020, 360CERT reported that the CNVD platform listed CNVD-2020-10487 (CVE-2020-1938), an Apache Tomcat file inclusion vulnerability that allows attackers to read or include arbitrary files from any webapp directory.

Tomcat, developed by the Apache Software Foundation’s Jakarta project, is a servlet container that also includes an HTTP server.

0x02 Affected Versions

Apache Tomcat 9.x < 9.0.31

Apache Tomcat 8.x < 8.5.51

Apache Tomcat 7.x < 7.0.100

Apache Tomcat 6.x

0x03 Vulnerability Analysis

3.1 AJP Connector

Tomcat uses connectors to handle client requests. The standard HTTP connector listens on port 8080, configured in conf/server.xml as:

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />

The AJP connector uses the binary AJP protocol for performance in clustered or reverse‑proxy scenarios, configured as:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

3.2 Code Analysis

The flaw originates in

org.apache.coyote.ajp.AbstractAjpProcessor.java#prepareRequest()

, where certain AJP request attributes are not properly validated. The relevant attributes include:

javax.servlet.include.request_uri<br/>javax.servlet.include.path_info<br/>javax.servlet.include.servlet_path

3.3 Arbitrary File Read

When the request reaches org.apache.catalina.servlets.DefaultServlet#serveResource(), the method getRelativePath extracts request_uri, pathInfo, and servletPath to build a file path, eventually calling getResource to read the file content. This enables reading files such as /WEB-INF/web.xml.

3.4 Remote Code Execution

For JSP requests, org.apache.jasper.servlet.JspServlet#service() processes the pathInfo. If an attacker can upload a malicious JSP file, they can trigger RCE by forcing the server to compile and execute the uploaded JSP.

0x04 Remediation Recommendations

Upgrade Tomcat to the following versions:

Tomcat 7: 7.0.100

Tomcat 8: 8.5.51

Tomcat 9: 9.0.31

Tomcat 6 is no longer maintained; users should migrate to a supported release.

Stay informed about the latest Tomcat releases via the official Apache Tomcat website or the Apache Tomcat Git repository.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Security PatchApache Tomcatfile inclusionAJPCVE-2020-1938
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment