Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure

2019-10-14 Thread Thiago H. de Paula Figueiredo
On Mon, Oct 7, 2019 at 11:35 AM Nourredine K. wrote: > Hello Thiago, > Hello! > Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ? > Versions affected: all Apache Tapestry versions between 5.4.0, including its betas, and 5.4.3 > I think we should create a dedicated jir

Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure

2019-10-07 Thread Nourredine K.
Hello Thiago, Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ? I think we should create a dedicated jira ticket for each CVE to allow security dev track Tapestry CVE more easily. Regards, Nouredine Le ven. 13 sept. 2019 à 16:11, Thiago H. de Paula Figueiredo < thiag...@g

[CVE-2019-0195] Apache Tapestry vulnerability disclosure

2019-09-13 Thread Thiago H. de Paula Figueiredo
CVE-2019-0195: File reading Leads Java Deserialization Vulnerability Severity: important Vendor: The Apache Software Foundation Versions affected: all Apache Tapestry versions between 5.4.0, including its betas, and 5.4.3 Description: Manipulating classpath asset file URLs, an attacker could guess