You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by "Nourredine K." <no...@gmail.com> on 2019/10/07 14:34:47 UTC
Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure
Hello Thiago,
Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ?
I think we should create a dedicated jira ticket for each CVE to allow
security dev track Tapestry CVE more easily.
Regards,
Nouredine
Le ven. 13 sept. 2019 à 16:11, Thiago H. de Paula Figueiredo <
thiagohp@gmail.com> a écrit :
> CVE-2019-0195: File reading Leads Java Deserialization Vulnerability
> Severity: important
> Vendor: The Apache Software Foundation
> Versions affected: all Apache Tapestry versions between 5.4.0, including
> its betas, and 5.4.3
>
> Description:
> Manipulating classpath asset file URLs, an attacker could guess the path to
> a known file in the classpath and have it downloaded. If the attacker
> found the file with the value of the tapestry.hmac-passphrase configuration
> symbol, most probably the webapp's AppModule class, the value of this
> symbol could be used to craft a Java deserialization attack, thus running
> malicious injected Java code. The vector would be the t:formdata parameter
> from the Form component.
>
> Mitigation:
> Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
> version.
>
> Credit:
> Ricter Zheng
>
> --
> Thiago H. de Paula Figueiredo
>
Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
On Mon, Oct 7, 2019 at 11:35 AM Nourredine K. <no...@gmail.com>
wrote:
> Hello Thiago,
>
Hello!
> Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ?
>
Versions affected: all Apache Tapestry versions between 5.4.0, including
its betas, and 5.4.3
> I think we should create a dedicated jira ticket for each CVE to allow
> security dev track Tapestry CVE more easily.
>
> Regards,
>
> Nouredine
>
> Le ven. 13 sept. 2019 à 16:11, Thiago H. de Paula Figueiredo <
> thiagohp@gmail.com> a écrit :
>
> > CVE-2019-0195: File reading Leads Java Deserialization Vulnerability
> > Severity: important
> > Vendor: The Apache Software Foundation
> > Versions affected: all Apache Tapestry versions between 5.4.0, including
> > its betas, and 5.4.3
> >
> > Description:
> > Manipulating classpath asset file URLs, an attacker could guess the path
> to
> > a known file in the classpath and have it downloaded. If the attacker
> > found the file with the value of the tapestry.hmac-passphrase
> configuration
> > symbol, most probably the webapp's AppModule class, the value of this
> > symbol could be used to craft a Java deserialization attack, thus running
> > malicious injected Java code. The vector would be the t:formdata
> parameter
> > from the Form component.
> >
> > Mitigation:
> > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
> > version.
> >
> > Credit:
> > Ricter Zheng
> >
> > --
> > Thiago H. de Paula Figueiredo
> >
>
--
Thiago