Dashboard Toolbox - VM DASHBOARD: GHOSTCAT | QID: 87413 Apache Tomcat AJP File Inclusion Vulnerability | CVE-2020-1938

Document created by DMFezzaReed Employee on Mar 3, 2020Last modified by Felix Jimenez on Mar 12, 2020
Version 4Show Document
  • View in full screen mode

This page contains template information to create a Vulnerabilities Dashboard leveraging data in Qualys Vulnerability Management subscription. 


Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.


  • Remote QID 87413, QID 86990
  • Threat Protection RTI(s): exploit_public, easy_exploit


  • Impacted Product(s)/Version(s): 
    • Apache Tomcat 9.0.0 through 9.0.30
    • Apache Tomcat 8.5.0 through 8.5.50
    • Apache Tomcat 7.0.0 through 7.0.99
  • Impacted Service(s)/Port(s): AJP Port - by default - 8009
  • Detection Released in VULNSIGS-2.4.826-3
This vulnerability also affects Apache Tomcat 6, however,  patches are not available for version 6.x. Customers are encouraged to upgrade to the latest supported versions of Apache Tomcat.


Related Qualys Blog Post: https://blog.qualys.com/laws-of-vulnerabilities/2020/03/05/automatically-discover-prioritize-and-remediate-apache-tomcat… 




IMPORTANT: Importing Dashboard and/or Widget JSON files - Enable historical data collection


When you export dashboard(s) and/or widget(s) that have "Enable historical data collection" turned on, and then import them later, you will have to manually "Enable historical data collection" following your import.  This is by design.  The action of turning on this feature starts the clock for data retention.




If you have any questions, please post them below, contact your TAM, or Contact Support - Technical Assistance Inquiry Form | Qualys, Inc..




Back to Dashboards and Reporting Resources - Start Here 

Back to Dashboard Toolbox - New Vulnerability Management (VM) Dashboard BETA