You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by "Thiago H. de Paula Figueiredo" <th...@gmail.com> on 2020/09/26 19:13:24 UTC
[CVE-2020-13953] Apache Tapestry WEB-INF file download vulnerability
CVE-2020-13953: Apache Tapestry: URL manipulation allows Java webapp files
inside WEB-INF to be listed and downloaded.
Vendor:
The Apache Software Foundation
Versions Affected:
Tapestry 5.4.0 to 5.5.0
Description:
Crafting specific URLs, an attacker can download files inside the WEB-INF
folder.
Mitigation:
Upgrade to Apache Tapestry 5.6.0 or later.
Credit:
This issue was discovered by Thomas Moore.
References:
https://tapestry.apache.org/security.html
--
Thiago