[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2019-0195] Apache Tapestry vulnerability disclosure
From: "Thiago H. de Paula Figueiredo" <thiagohp () gmail ! com>
Date: 2019-09-13 14:19:05
Message-ID: CAE_88GZ56+bOh7t_Og1LOMmif4aQo3Y-Zdx_zzp_ufJciOhQ9w () mail ! gmail ! com
[Download RAW message or body]
CVE-2019-0195: File reading Leads Java Deserialization Vulnerability
Severity: important
Vendor: The Apache Software Foundation
Versions affected: all Apache Tapestry versions between 5.4.0, including
its betas, and 5.4.3
Description:
Manipulating classpath asset file URLs, an attacker could guess the path to
a known file in the classpath and have it downloaded. If the attacker found
the file with the value of the tapestry.hmac-passphrase configuration
symbol, most probably the webapp's AppModule class, the value of this
symbol could be used to craft a Java deserialization attack, thus running
malicious injected Java code. The vector would be the t:formdata parameter
from the Form component.
Mitigation:
Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
version.
Credit:
Ricter Zheng
--
Thiago H. de Paula Figueiredo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic