The vulnerability resides in the AJP protocol of Apache Tomcat software that arises due to improper handling of an attribute. The flaw could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code. The vulnerability can only be exploited remotely when accessible to untrusted clients. The latest releases also fix 2 other low severity HTTP request smuggling issues. There are more than 170,000 devices that are exposing an AJP port to everyone through the Internet, at the time of writing.
Source: https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html