Hello Thiago, Same question here.
Does this CVE concern only Tapestry 5.4 ? What about 5.3 ? Regards, Nouredine Le ven. 13 sept. 2019 à 17:02, Thiago H. de Paula Figueiredo < thiag...@gmail.com> a écrit : > I'm afraid I've mad an error. It should have been CVE-2019-10071: New Issue > in Fix for CVE-2014-1972 > > > On Fri, Sep 13, 2019 at 11:39 AM Thiago H. de Paula Figueiredo < > thiag...@gmail.com> wrote: > > > CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability > > Severity: important > > Vendor: The Apache Software Foundation > > Versions affected: all Apache Tapestry versions between 5.4.0, including > > its betas, and 5.4.3. > > > > Description: The code which checks HMAC in form submissions used > > String.equals() for comparisons, which results in a timing side channel > for > > the comparison of the HMAC signatures. This could lead to remote code > > execution if an attacker is able to determine the correct signature for > > their payload. The comparison should be done with a constant time > algorithm > > instead. > > > > Mitigation: > > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x > > version. > > > > Credit: > > David Tomaschik of the Google Security Team > > > > -- > > Thiago > > > > > -- > Thiago >
