Vulnerabilites related to Apache Software Foundation - Apache Tapestry
jvndb-2015-000118
Vulnerability from jvndb
Published
2015-08-20 15:53
Modified
2015-08-26 17:51
Summary
Apache Tapestry deserializes untrusted data
Details
Apache Tapestry contains a vulnerability where it may deserialize untrusted data.
Apache Tapestry is a framework for creating Java web applications. Apache Tapestry contains an interface where client side serialized data sent to the server is deserialized after it is received by the server. This data serialization / deserialization process does not contain data validation. Therefore, if the serialized data is altered, the server will deserailze data without validating the data (CWE-502).
Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
References
Impacted products
| ▼ | Vendor | Product |
|---|---|---|
| Apache Software Foundation | Apache Tapestry |
{ "@rdf:about": "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000118.html", "dc:date": "2015-08-26T17:51+09:00", "dcterms:issued": "2015-08-20T15:53+09:00", "dcterms:modified": "2015-08-26T17:51+09:00", description: "Apache Tapestry contains a vulnerability where it may deserialize untrusted data.\r\n\r\nApache Tapestry is a framework for creating Java web applications. Apache Tapestry contains an interface where client side serialized data sent to the server is deserialized after it is received by the server. This data serialization / deserialization process does not contain data validation. Therefore, if the serialized data is altered, the server will deserailze data without validating the data (CWE-502).\r\n\r\nTakeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.\r\nJPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.", link: "https://jvndb.jvn.jp/en/contents/2015/JVNDB-2015-000118.html", "sec:cpe": { "#text": "cpe:/a:apache:tapestry", "@product": "Apache Tapestry", "@vendor": "Apache Software Foundation", "@version": "2.2", }, "sec:cvss": { "@score": "6.8", "@severity": "Medium", "@type": "Base", "@vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "@version": "2.0", }, "sec:identifier": "JVNDB-2015-000118", "sec:references": [ { "#text": "https://jvn.jp/en/jp/JVN17611367/index.html", "@id": "JVN#17611367", "@source": "JVN", }, { "#text": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1972", "@id": "CVE-2014-1972", "@source": "CVE", }, { "#text": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1972", "@id": "CVE-2014-1972", "@source": "NVD", }, { "#text": "https://www.jpcert.or.jp/securecoding/2014/OracleJava-AtomicReferenceArray.pdf", "@id": "OracleJava-AtomicReferenceArray.pdf", "@source": "JPCERT", }, { "#text": "https://www.securecoding.cert.org/confluence/display/java/SER02-J.+Sign+then+seal+sensitive+objects+before+sending+them+outside+a+trust+boundary;jsessionid=6418285E96FE6503CBFF59A54A87B1E7", "@id": "SER02-J. Sign then seal sensitive objects before sending them outside a trust boundary", "@source": "Related Information", }, { "#text": "https://www.ipa.go.jp/en/security/vulnerabilities/cwe.html", "@id": "CWE-Other", "@title": "No Mapping(CWE-Other)", }, ], title: "Apache Tapestry deserializes untrusted data", }
cve-2021-27850
Vulnerability from cvelistv5
Published
2021-04-15 07:40
Modified
2024-08-03 21:33
Severity ?
EPSS score ?
Summary
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2021/04/15/1 | mailing-list, x_refsource_MLIST | |
| https://security.netapp.com/advisory/ntap-20210528-0002/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tapestry |
Version: Apache Tapestry 5.5.0 Version: Apache Tapestry 5.7.0 Version: Apache Tapestry 5.4.5 < Apache Tapestry 5.4.0* Version: Apache Tapestry 5.6.2 < Apache Tapestry 5.6.0* |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T21:33:15.996Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E", }, { name: "[oss-security] 20210414 CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2021/04/15/1", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210528-0002/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Tapestry", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "Apache Tapestry 5.5.0", }, { status: "affected", version: "Apache Tapestry 5.7.0", }, { lessThan: "Apache Tapestry 5.4.0*", status: "affected", version: "Apache Tapestry 5.4.5", versionType: "custom", }, { lessThan: "Apache Tapestry 5.6.0*", status: "affected", version: "Apache Tapestry 5.6.2", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Tapestry would like to thank Johannes Moritz for finding and notifying this vulnerability", }, ], descriptions: [ { lang: "en", value: "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200 Information Exposure", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-28T09:06:12", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E", }, { name: "[oss-security] 20210414 CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2021/04/15/1", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210528-0002/", }, ], source: { defect: [ "TAP5-2663", ], discovery: "UNKNOWN", }, title: "Bypass of the fix for CVE-2019-0195", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-27850", STATE: "PUBLIC", TITLE: "Bypass of the fix for CVE-2019-0195", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Tapestry", version: { version_data: [ { version_affected: ">=", version_name: "Apache Tapestry 5.4.0", version_value: "Apache Tapestry 5.4.5", }, { version_affected: "=", version_name: "Apache Tapestry 5.5.0", version_value: "Apache Tapestry 5.5.0", }, { version_affected: ">=", version_name: "Apache Tapestry 5.6.0", version_value: "Apache Tapestry 5.6.2", }, { version_affected: "=", version_name: "Apache Tapestry 5.7.0", version_value: "Apache Tapestry 5.7.0", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "Apache Tapestry would like to thank Johannes Moritz for finding and notifying this vulnerability", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-200 Information Exposure", }, ], }, { description: [ { lang: "eng", value: "CWE-502 Deserialization of Untrusted Data", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E", }, { name: "[oss-security] 20210414 CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2021/04/15/1", }, { name: "https://security.netapp.com/advisory/ntap-20210528-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210528-0002/", }, ], }, source: { defect: [ "TAP5-2663", ], discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-27850", datePublished: "2021-04-15T07:40:11", dateReserved: "2021-03-01T00:00:00", dateUpdated: "2024-08-03T21:33:15.996Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2020-17531
Vulnerability from cvelistv5
Published
2020-12-08 00:00
Modified
2024-08-04 14:00
Severity ?
EPSS score ?
Summary
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tapestry |
Version: Apache Tapestry 4 < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T14:00:48.808Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread.html/r700a6aa234dbff0555d4187bdc8274d7e4c0afbf35b9a3457f09ee76%40%3Cusers.tapestry.apache.org%3E", }, { name: "[tapestry-users] 20201208 CVE-2020-17531: Deserialization flaw in EOL Tapestry 4.", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/r700a6aa234dbff0555d4187bdc8274d7e4c0afbf35b9a3457f09ee76%40%3Cusers.tapestry.apache.org%3E", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210115-0007/", }, { name: "[oss-security] 20221202 CVE-2022-46366: Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/12/02/1", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Tapestry", vendor: "Apache Software Foundation", versions: [ { lessThanOrEqual: "4", status: "affected", version: "Apache Tapestry 4", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache Tapestry would like to thank Adrian Bravo (@adrianbravon) for reporting this issue.", }, ], descriptions: [ { lang: "en", value: "A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the \"sp\" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-02T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread.html/r700a6aa234dbff0555d4187bdc8274d7e4c0afbf35b9a3457f09ee76%40%3Cusers.tapestry.apache.org%3E", }, { name: "[tapestry-users] 20201208 CVE-2020-17531: Deserialization flaw in EOL Tapestry 4.", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/r700a6aa234dbff0555d4187bdc8274d7e4c0afbf35b9a3457f09ee76%40%3Cusers.tapestry.apache.org%3E", }, { url: "https://security.netapp.com/advisory/ntap-20210115-0007/", }, { name: "[oss-security] 20221202 CVE-2022-46366: Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/12/02/1", }, ], source: { discovery: "UNKNOWN", }, title: "Deserialization flaw in EOL Tapestry 4.", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2020-17531", datePublished: "2020-12-08T00:00:00", dateReserved: "2020-08-12T00:00:00", dateUpdated: "2024-08-04T14:00:48.808Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-46366
Vulnerability from cvelistv5
Published
2022-12-02 00:00
Modified
2024-08-03 14:31
Severity ?
EPSS score ?
Summary
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tapestry |
Version: Apache Tapestry < 4.0.0 |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:apache:tapestry:-:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "tapestry", vendor: "apache", versions: [ { status: "affected", version: "-", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-46366", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-05-01T14:18:53.714851Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-04T17:16:08.208Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-03T14:31:46.317Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj", }, { name: "[oss-security] 20221202 CVE-2022-46366: Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2022/12/02/1", }, { tags: [ "x_transferred", ], url: "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Tapestry", vendor: "Apache Software Foundation", versions: [ { lessThan: "4.0.0", status: "affected", version: "Apache Tapestry", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "Apache would like to thank Ilyass El Hadi from Mandiant for reporting this issue", }, ], descriptions: [ { lang: "en", value: "Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-06T00:00:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { url: "https://lists.apache.org/thread/bwn1vjrvz1hq0wbdzj23wz322244swhj", }, { name: "[oss-security] 20221202 CVE-2022-46366: Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2022/12/02/1", }, { url: "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0041/MNDT-2022-0041.md", }, ], source: { discovery: "UNKNOWN", }, tags: [ "unsupported-when-assigned", ], title: "Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input", x_generator: { engine: "Vulnogram 0.0.9", }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-46366", datePublished: "2022-12-02T00:00:00", dateReserved: "2022-12-02T00:00:00", dateUpdated: "2024-08-03T14:31:46.317Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-30638
Vulnerability from cvelistv5
Published
2021-04-27 18:30
Modified
2024-08-03 22:40
Severity ?
EPSS score ?
Summary
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2021/04/27/3 | mailing-list, x_refsource_MLIST | |
| https://www.zerodayinitiative.com/advisories/ZDI-21-491/ | x_refsource_MISC | |
| https://security.netapp.com/advisory/ntap-20210528-0004/ | x_refsource_CONFIRM |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tapestry |
Version: Apache Tapestry < Apache Tapestry 5.6.4 Version: Apache Tapestry < Apache Tapestry 5.7.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T22:40:31.642Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E", }, { name: "[oss-security] 20210427 CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2021/04/27/3", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-491/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20210528-0004/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Tapestry", vendor: "Apache Software Foundation", versions: [ { lessThan: "Apache Tapestry 5.6.4", status: "affected", version: "Apache Tapestry ", versionType: "custom", }, { lessThan: "Apache Tapestry 5.7.2", status: "affected", version: "Apache Tapestry", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "This vulnerability was discovered by Kc Udonsi of Trend Micro", }, ], descriptions: [ { lang: "en", value: "Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200 Information Exposure", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-28T09:06:15", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E", }, { name: "[oss-security] 20210427 CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2021/04/27/3", }, { tags: [ "x_refsource_MISC", ], url: "https://www.zerodayinitiative.com/advisories/ZDI-21-491/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20210528-0004/", }, ], source: { discovery: "UNKNOWN", }, title: "An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later", workarounds: [ { lang: "en", value: "Solution:\nFor Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4\nFor Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2021-30638", STATE: "PUBLIC", TITLE: "An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Tapestry", version: { version_data: [ { version_affected: "<", version_name: "Apache Tapestry ", version_value: "Apache Tapestry 5.6.4", }, { version_affected: "<", version_name: "Apache Tapestry", version_value: "Apache Tapestry 5.7.2", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "This vulnerability was discovered by Kc Udonsi of Trend Micro", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-200 Information Exposure", }, ], }, ], }, references: { reference_data: [ { name: "https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E", refsource: "MISC", url: "https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E", }, { name: "[oss-security] 20210427 CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2021/04/27/3", }, { name: "https://www.zerodayinitiative.com/advisories/ZDI-21-491/", refsource: "MISC", url: "https://www.zerodayinitiative.com/advisories/ZDI-21-491/", }, { name: "https://security.netapp.com/advisory/ntap-20210528-0004/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20210528-0004/", }, ], }, source: { discovery: "UNKNOWN", }, work_around: [ { lang: "en", value: "Solution:\nFor Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4\nFor Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2", }, ], }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2021-30638", datePublished: "2021-04-27T18:30:15", dateReserved: "2021-04-13T00:00:00", dateUpdated: "2024-08-03T22:40:31.642Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-31781
Vulnerability from cvelistv5
Published
2022-07-13 07:25
Modified
2024-08-03 07:26
Severity ?
EPSS score ?
Summary
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.openwall.com/lists/oss-security/2022/07/12/3 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Tapestry |
Version: 5.8.1 < 5.8.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T07:26:01.066Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.openwall.com/lists/oss-security/2022/07/12/3", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Tapestry", vendor: "Apache Software Foundation", versions: [ { lessThan: "5.8.1", status: "affected", version: "5.8.1", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "CodeQL team members [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph Farebrother)](https://github.com/joefarebrother).", }, ], descriptions: [ { lang: "en", value: "Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor.", }, ], metrics: [ { other: { content: { other: "low", }, type: "unknown", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-1333", description: "CWE-1333 Inefficient Regular Expression Complexity", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-07-25T08:10:31.213Z", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.openwall.com/lists/oss-security/2022/07/12/3", }, ], source: { discovery: "UNKNOWN", }, title: "Regular Expression Denial of Service (ReDoS) in ContentType.java. (GHSL-2022-022)", x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2022-31781", STATE: "PUBLIC", TITLE: "Regular Expression Denial of Service (ReDoS) in ContentType.java. (GHSL-2022-022)", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Tapestry", version: { version_data: [ { version_affected: "<", version_name: "5.8.1", version_value: "5.8.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, credit: [ { lang: "eng", value: "CodeQL team members [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph Farebrother)](https://github.com/joefarebrother).", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: [ { other: "low", }, ], problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-1333 Inefficient Regular Expression Complexity", }, ], }, ], }, references: { reference_data: [ { name: "https://www.openwall.com/lists/oss-security/2022/07/12/3", refsource: "MISC", url: "https://www.openwall.com/lists/oss-security/2022/07/12/3", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2022-31781", datePublished: "2022-07-13T07:25:10", dateReserved: "2022-05-27T00:00:00", dateUpdated: "2024-08-03T07:26:01.066Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }