Apache Tapestry ContextAssetRequestHandler Information Disclosure
• glitchnsec
CVE: CVE-2021-30638
CVSS3.1:
Vendor: Apache Software Foundation
CWEs: Affected Products:
CVSS3.1:
8.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Vendor: Apache Software Foundation
CWEs: Affected Products:
- Tapestry prior to v5.7.2
Other Advisories:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30638
- https://www.zerodayinitiative.com/advisories/ZDI-21-491/
- https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
Description
This vulnerability is due to an incomplete fix for CVE-2020-13953. A URL manipulation via backslashes allows webapp files within WEB-INF to be remotely downloaded.
Fixed Versions:
- Tapestry 5.7.2
Disclosure Timeline
- 2020-10-07 - Vulnerability reported to ZDI
- 2020-10-21 - Vulnerability reported to vendor by ZDI
- 2021-03-04 - Vulnerability reported to vendor by ZDI
- 2021-04-29 - Coordinated public release of advisory