Information Exposure

Affecting org.apache.tapestry:tapestry-core artifact, versions [5.4.0,5.6.4) || [5.7.0,5.7.2)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

org.apache.tapestry:tapestry-core is a Tapestry Core package for Apache Tapestry.

Affected versions of this package are vulnerable to Information Exposure via the context asset handling. It allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This is caused because the fix for CVE-2020-13953 fails to account for the backslash character in the filtering regex, and an attacker is therefore able to list and download web app files from the WEB-INF and META-INF directory using a crafted payload.

Remediation

Upgrade org.apache.tapestry:tapestry-core to version 5.6.4, 5.7.2 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Unknown
CVE
CVE-2021-30638
CWE
CWE-200
Snyk ID
SNYK-JAVA-ORGAPACHETAPESTRY-1277189
Disclosed
28 Apr, 2021
Published
28 Apr, 2021