CVE-2020-1745

Name of the Vulnerable Software and Affected Versions Undertow versions 2.0.29.Final and before

Description A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009. This issue allows a remote, unauthenticated attacker to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution. The vulnerability is related to insufficient access control in the AJP Connector service.

Recommendations For Undertow versions 2.0.29.Final and before, update to version 2.0.30.Final to resolve the issue. As a temporary workaround, consider disabling the AJP connector or restricting access to the default AJP configuration port 8009 until a patch is applied. Additionally, restrict file uploads on the vulnerable server to minimize the risk of exploitation.