I'm afraid I've mad an error. It should have been CVE-2019-10071: New Issue in Fix for CVE-2014-1972
On Fri, Sep 13, 2019 at 11:39 AM Thiago H. de Paula Figueiredo < thiag...@gmail.com> wrote: > CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability > Severity: important > Vendor: The Apache Software Foundation > Versions affected: all Apache Tapestry versions between 5.4.0, including > its betas, and 5.4.3. > > Description: The code which checks HMAC in form submissions used > String.equals() for comparisons, which results in a timing side channel for > the comparison of the HMAC signatures. This could lead to remote code > execution if an attacker is able to determine the correct signature for > their payload. The comparison should be done with a constant time algorithm > instead. > > Mitigation: > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x > version. > > Credit: > David Tomaschik of the Google Security Team > > -- > Thiago > -- Thiago
