An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later
CVE-2021-30638

7.5HIGH

Key Information:

Vendor
Apache
Status
Apache Tapestry
Vendor
CVE Published:
27 April 2021

Summary

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Affected Version(s)

Apache Tapestry Apache Tapestry

Apache Tapestry Apache Tapestry

References

https://lists.apache.org/thread.html/r37dab61fc7f7088d431...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2021/04/27/3
mailing-listx_refsource_MLIST
https://www.zerodayinitiative.com/advisories/ZDI-21-491/
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This vulnerability was discovered by Kc Udonsi of Trend Micro
.