CVE-2020-1938 Apache Tomcat vulnerability

Severity: Medium2020-03-04

Security Advisories


Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Tomcat is susceptible to a vulnerability which could allow for reading of arbitrary files on the affected system (CVE-2020-1938). The vulnerability exists in the Apache JServ Protocol (AJP) protocol, which is enabled by default and listens on all configured IP addresses. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. This affects Apache Tomcat versions 6.x, 7.x less than 7.0.100, 8.x less than 8.5.51 and 9.x less than 9.0.31.

Multiple Oxygen XML products incorporate Apache Tomcat. This advisory was opened to address the potential impact on this vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen XML Web Author 22.0.0 and older versionsMediumOxygen XML Web Author 21.1.1 build 2020032609
Oxygen Content Fusion 1.2 and older versionsMediumOxygen Content Fusion 1.2.1 build 2020041419





Severity: High

CVSS Score: 9.8

Apache Tomcat used by Oxygen XML software products has an affected version mentioned in CVE-2020-1938 vulnerability description. However, the AJP Connector (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-1938.

Revision History

2020-04-07 Updated Apache Tomcat to 9.0.31.

Syncro Soft will continue to update this advisory as additional information becomes available.

If you have questions about the security features of an Oxygen product or require technical support, please contact us on .

If you want to download product updates, please visit our Download page.

Please only use the e-mail address for reporting security issues.

List of Security Advisories