CVE-2020-1938
A vulnerability was found in Apache Tomcat up to 7.0.99/8.5.50/9.0.30 (Application Server Software). It has been classified as critical. This affects an unknown code of the component AJP Connector. The manipulation with an unknown input leads to a input validation vulnerability (Ghostcat). CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability.
Exploit
┌──(kali㉿kali)-[~/archive/thm/tomghost]
└─$ searchsploit -m multiple/webapps/48143.py
Exploit: Apache Tomcat - AJP 'Ghostcat File Read/Inclusion
URL: https://www.exploit-db.com/exploits/48143
Path: /usr/share/exploitdb/exploits/multiple/webapps/48143.py
Codes: CVE-2020-1938
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/archive/thm/tomghost/48143.py
┌──(kali㉿kali)-[~/archive/thm/tomghost]
└─$ mv 48143.py CVE-2020-1938.pyExploit available via the local Exploit-DB
There is another exploit available on GitHub