CVE-2019-0207: Apache Tapestry vulnerability disclosure

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE-2019-0207: Apache Tapestry vulnerability disclosure

Thiago H de Paula Figueiredo
CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability
Severity: important
Vendor: The Apache Software Foundation
Versions affected: all Apache Tapestry versions between 5.4.0, including
its betas, and 5.4.4

Description: Tapestry processes assets `/assets/ctx` using classes chain
`StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't
filter the character `\`, so attacker can perform a path traversal attack
to read any files on Windows platform.

Mitigation:
Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
version.

Credit:
Ricter Zheng

--
Thiago