You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tapestry.apache.org by "Thiago H. de Paula Figueiredo" <th...@gmail.com> on 2021/04/27 17:34:54 UTC

CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later

Description:

Information Exposure vulnerability in context asset handling of Apache
Tapestry allows an attacker to download files inside WEB-INF if using a
specially-constructed URL.  This was caused by an incomplete fix for
CVE-2020-13953.  This issue affects Apache Tapestry Apache Tapestry 5.4.0
version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache
Tapestry 5.7.1.

Solution:

For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4

For Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2

************ Problem Description ************

An Information Disclosure due to insufficient input validation exists

in Apache Tapestry 5.6.1 and later (latest)

A recent patch for CVE-2020-13953

(
https://github.com/apache/tapestry-5/commit/cf1912291af9146ee86a4aef471ae2ab31d3a28b
)

fails to account for the backslash character in the filtering regex

An attacker is therefore able to list and download web app files from

the WEB-INF and META-INF directory using a crafted payload.

Credit:

This vulnerability was discovered by Kc Udonsi of Trend Micro

-- 
Thiago