[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability
From: "Thiago H. de Paula Figueiredo" <thiagohp () gmail ! com>
Date: 2019-09-13 14:25:20
Message-ID: CAE_88GZuxbwSuZy+oNqGLZj9hWHiyy7n7FhJY-fza_e0UinJjg () mail ! gmail ! com
[Download RAW message or body]
CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability
Severity: important
Vendor: The Apache Software Foundation
Versions affected: all Apache Tapestry versions between 5.4.0, including
its betas, and 5.4.4
Description: Tapestry processes assets `/assets/ctx` using classes chain
`StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't
filter the character `\`, so attacker can perform a path traversal attack
to read any files on Windows platform.
Mitigation:
Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
version.
Credit:
Ricter Zheng
--
Thiago
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic