https://community.isc2.org/t5/Tech-Talk/GhostCat-Critical-Apache-Tomcat-Vulnerability/m-p/33206#M2392 <P>Patch your Apache Tomcat servers NOW!</P><P>&nbsp;</P><P>ALL versions (9.x/8.x/7.x/6.x) released in the past 13 years have been found vulnerable to a new <STRONG>CRITICAL</STRONG> (<STRONG>CVSS 9.8</STRONG>) vulnerability dubbed "<STRONG>GhostCat</STRONG>" (<STRONG>CVE-2020-1938</STRONG>). The flaw (<A href="https://www.chaitin.cn/en/ghostcat" target="_blank" rel="noopener">described here</A>) could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file upload. There of lots of PoC exploits in the wild. Drop what you are doing now and <A href="http://tomcat.apache.org/security.html" target="_blank" rel="noopener">upgrade</A>!</P> Mon, 09 Oct 2023 09:27:07 GMT AppDefects 2023-10-09T09:27:07Z https://community.isc2.org/t5/Tech-Talk/GhostCat-Critical-Apache-Tomcat-Vulnerability/m-p/33206#M2392 <P>Patch your Apache Tomcat servers NOW!</P><P>&nbsp;</P><P>ALL versions (9.x/8.x/7.x/6.x) released in the past 13 years have been found vulnerable to a new <STRONG>CRITICAL</STRONG> (<STRONG>CVSS 9.8</STRONG>) vulnerability dubbed "<STRONG>GhostCat</STRONG>" (<STRONG>CVE-2020-1938</STRONG>). The flaw (<A href="https://www.chaitin.cn/en/ghostcat" target="_blank" rel="noopener">described here</A>) could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file upload. There of lots of PoC exploits in the wild. Drop what you are doing now and <A href="http://tomcat.apache.org/security.html" target="_blank" rel="noopener">upgrade</A>!</P> Mon, 09 Oct 2023 09:27:07 GMT https://community.isc2.org/t5/Tech-Talk/GhostCat-Critical-Apache-Tomcat-Vulnerability/m-p/33206#M2392 AppDefects 2023-10-09T09:27:07Z