Hello Thiago, Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ? I think we should create a dedicated jira ticket for each CVE to allow security dev track Tapestry CVE more easily.
Regards, Nouredine Le ven. 13 sept. 2019 à 16:11, Thiago H. de Paula Figueiredo < thiag...@gmail.com> a écrit : > CVE-2019-0195: File reading Leads Java Deserialization Vulnerability > Severity: important > Vendor: The Apache Software Foundation > Versions affected: all Apache Tapestry versions between 5.4.0, including > its betas, and 5.4.3 > > Description: > Manipulating classpath asset file URLs, an attacker could guess the path to > a known file in the classpath and have it downloaded. If the attacker > found the file with the value of the tapestry.hmac-passphrase configuration > symbol, most probably the webapp's AppModule class, the value of this > symbol could be used to craft a Java deserialization attack, thus running > malicious injected Java code. The vector would be the t:formdata parameter > from the Form component. > > Mitigation: > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x > version. > > Credit: > Ricter Zheng > > -- > Thiago H. de Paula Figueiredo >
