Deserialization flaw in EOL Tapestry 4.
CVE-2020-17531

9.8CRITICAL

Key Information:

Vendor
Apache
Vendor
CVE Published:
8 December 2020

Badges

👾 Exploit Exists

Summary

A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.

Affected Version(s)

Apache Tapestry Apache Tapestry 4 <= 4

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Apache Tapestry would like to thank Adrian Bravo (@adrianbravon) for reporting this issue.
.