Hello Thiago,

Same question here.

Does this CVE concern only Tapestry 5.4 ? What about 5.3 ?

Regards,

Nouredine

Le ven. 13 sept. 2019 à 17:02, Thiago H. de Paula Figueiredo <
thiag...@gmail.com> a écrit :

> I'm afraid I've mad an error. It should have been CVE-2019-10071: New Issue
> in Fix for CVE-2014-1972
>
>
> On Fri, Sep 13, 2019 at 11:39 AM Thiago H. de Paula Figueiredo <
> thiag...@gmail.com> wrote:
>
> > CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability
> > Severity: important
> > Vendor: The Apache Software Foundation
> > Versions affected: all Apache Tapestry versions between 5.4.0, including
> > its betas, and 5.4.3.
> >
> > Description: The code which checks HMAC in form submissions used
> > String.equals() for comparisons, which results in a timing side channel
> for
> > the comparison of the HMAC signatures. This could lead to remote code
> > execution if an attacker is able to determine the correct signature for
> > their payload. The comparison should be done with a constant time
> algorithm
> > instead.
> >
> > Mitigation:
> > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
> > version.
> >
> > Credit:
> > David Tomaschik of the Google Security Team
> >
> > --
> > Thiago
> >
>
>
> --
> Thiago
>

Reply via email to