On Mon, Oct 7, 2019 at 11:35 AM Nourredine K. <nourredin...@gmail.com> wrote:
> Hello Thiago, > Hello! > Does this CVE concerns only Tapestry 5.4 ? What about 5.1, 5.2 and 5.3 ? > Versions affected: all Apache Tapestry versions between 5.4.0, including its betas, and 5.4.3 > I think we should create a dedicated jira ticket for each CVE to allow > security dev track Tapestry CVE more easily. > > Regards, > > Nouredine > > Le ven. 13 sept. 2019 à 16:11, Thiago H. de Paula Figueiredo < > thiag...@gmail.com> a écrit : > > > CVE-2019-0195: File reading Leads Java Deserialization Vulnerability > > Severity: important > > Vendor: The Apache Software Foundation > > Versions affected: all Apache Tapestry versions between 5.4.0, including > > its betas, and 5.4.3 > > > > Description: > > Manipulating classpath asset file URLs, an attacker could guess the path > to > > a known file in the classpath and have it downloaded. If the attacker > > found the file with the value of the tapestry.hmac-passphrase > configuration > > symbol, most probably the webapp's AppModule class, the value of this > > symbol could be used to craft a Java deserialization attack, thus running > > malicious injected Java code. The vector would be the t:formdata > parameter > > from the Form component. > > > > Mitigation: > > Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x > > version. > > > > Credit: > > Ricter Zheng > > > > -- > > Thiago H. de Paula Figueiredo > > > -- Thiago
