CVE-2019-10071: Apache Tapestry vulnerability disclosure

> CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability
> Severity: important
> Vendor: The Apache Software Foundation
> Versions affected: all Apache Tapestry versions between 5.4.0, including
> its betas, and 5.4.3.
>
> Description: The code which checks HMAC in form submissions used
> String.equals() for comparisons, which results in a timing side channel for
> the comparison of the HMAC signatures. This could lead to remote code
> execution if an attacker is able to determine the correct signature for
> their payload. The comparison should be done with a constant time algorithm
> instead.
>
> Mitigation:
> Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
> version.
>
> Credit:
> David Tomaschik of the Google Security Team
>
> --
> Thiago
>

> I'm afraid I've mad an error. It should have been CVE-2019-10071: New Issue
> in Fix for CVE-2014-1972
>
>
> On Fri, Sep 13, 2019 at 11:39 AM Thiago H. de Paula Figueiredo <
> [hidden email]> wrote:
>
> > CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability
> > Severity: important
> > Vendor: The Apache Software Foundation
> > Versions affected: all Apache Tapestry versions between 5.4.0, including
> > its betas, and 5.4.3.
> >
> > Description: The code which checks HMAC in form submissions used
> > String.equals() for comparisons, which results in a timing side channel
> for
> > the comparison of the HMAC signatures. This could lead to remote code
> > execution if an attacker is able to determine the correct signature for
> > their payload. The comparison should be done with a constant time
> algorithm
> > instead.
> >
> > Mitigation:
> > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
> > version.
> >
> > Credit:
> > David Tomaschik of the Google Security Team
> >
> > --
> > Thiago
> >
>
>
> --
> Thiago
>