Am 24.02.2020 um 13:47 schrieb Mark Thomas: > CVE-2020-1938 AJP Request Injection and potential Remote Code Execution > > Severity: High > > ... > - returning arbitrary files from anywhere in the web application > including under the WEB-INF and META-INF directories or any other > location reachable via ServletContext.getResourceAsStream() > - processing any file in the web application as a JSP > Further, if the web application allowed file upload and stored those > files within the web application (or the attacker was able to control > the content of the web application by some other means) then this, along > with the ability to process a file as a JSP, made remote code execution > possible.
Is this a bug which is or will be fixed or is this a fundamental design flaw of AJP which cannot be fixed? So to trust or not to trust are the only options? Thanks, Stefan Mayr --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org