You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by "Thiago H. de Paula Figueiredo" <th...@gmail.com> on 2021/04/27 17:34:54 UTC
CVE-2021-30638: An Information Disclosure due to insufficient input
validation exists in Apache Tapestry 5.4.0 and later
Description:
Information Exposure vulnerability in context asset handling of Apache
Tapestry allows an attacker to download files inside WEB-INF if using a
specially-constructed URL. This was caused by an incomplete fix for
CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0
version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache
Tapestry 5.7.1.
Solution:
For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4
For Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2
************ Problem Description ************
An Information Disclosure due to insufficient input validation exists
in Apache Tapestry 5.6.1 and later (latest)
A recent patch for CVE-2020-13953
(
https://github.com/apache/tapestry-5/commit/cf1912291af9146ee86a4aef471ae2ab31d3a28b
)
fails to account for the backslash character in the filtering regex
An attacker is therefore able to list and download web app files from
the WEB-INF and META-INF directory using a crafted payload.
Credit:
This vulnerability was discovered by Kc Udonsi of Trend Micro
--
Thiago