CVE-2020-1938 Apache Tomcat vulnerability
Severity: Medium2020-03-04
Abstract
Apache Software Foundation (ASF) officially released a security advisory, announcing that Apache Tomcat is susceptible to a vulnerability which could allow for reading of arbitrary files on the affected system (CVE-2020-1938). The vulnerability exists in the Apache JServ Protocol (AJP) protocol, which is enabled by default and listens on all configured IP addresses. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. This affects Apache Tomcat versions 6.x, 7.x less than 7.0.100, 8.x less than 8.5.51 and 9.x less than 9.0.31.
Multiple Oxygen XML products incorporate Apache Tomcat. This advisory was opened to address the potential impact on this vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen XML Web Author 22.0.0 and older versions | Medium | Oxygen XML Web Author 21.1.1 build 2020032609 |
| Oxygen Content Fusion 1.2 and older versions | Medium | Oxygen Content Fusion 1.2.1 build 2020041419 |
Detail
CVE-2020-1938
Severity: High
CVSS Score: 9.8
Apache Tomcat used by Oxygen XML software products has an affected version mentioned in CVE-2020-1938 vulnerability description. However, the AJP Connector (where the vulnerability exists) is not enabled and used in Oxygen XML software products. Therefore Oxygen XML software products are not impacted by CVE-2020-1938.
Revision History
2020-04-07 Updated Apache Tomcat to 9.0.31.
Syncro Soft will continue to update this advisory as additional information becomes available.
If you have questions about the security features of an Oxygen product or require technical support, please contact us on .
If you want to download product updates, please visit our Download page.
Please only use the e-mail address for reporting security issues.
