CVE-2020-1938

UnscoredEPSS 99.3%CISA KEV

Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited.

References

NVD MITRE CVE.org CISA KEV

Community ground truth

Community verdict

2 verdicts

Not a real issue

Includes TruePositive's curated baseline from public sources — community verdicts accrue on top.

to add your verdict.

Community real-world severity: High (High 1 · Medium 1)

Field notes & remediation

Verdicts are the quick signal — notes are the evidence and fixes behind them.

0
Field note · Priya NairCurated
Conditional: only matters if the AJP connector (8009) is reachable. Default file read/inclusion; RCE only if you can also write a file (e.g. upload). Most internet-facing Tomcats don't expose AJP — internal ones sometimes do.
0
Remediation · Nadia PetrovaCurated
Upgrade Tomcat; if you don't use AJP, disable the connector outright. If you do, bind it to localhost and set a secret.