Ghostcat is a vulnerability found in Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x that allows remote code execution in some circumstances. Apache Tomcat includes the AJP connector, which is enabled by default and listens on all addresses on port 8009. This connection is treated with more trust than a connection such as HTTP, allowing an attacker to exploit it to perform actions that are not intended for an untrusted user.
Ghostcat allows an attacker to retrieve arbitrary files from anywhere in the web application, including the WEB-INF and META-INF directories and any other location that can be reached via ServletContext.getResourceAsStream(). It also allows the attacker to process any file in the web application as JSP.
Remote code execution is not possible by default. If an application running on an affected version of Tomcat contains a file upload vulnerability, an attacker can exploit it in combination with Ghostcat to achieve remote code execution. However, the attacker must be able to save the uploaded files to the document root and to reach the AJP port directly from outside the target’s network.