[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2021-30638: An Information Disclosure due to insufficient input validation exists
From:       "Thiago H. de Paula Figueiredo" <thiagohp () gmail ! com>
Date:       2021-04-27 17:35:20
Message-ID: CAE_88GYP-ZX9=b7LfepVqRZyBeOmGTWRV92BONJCBGkLULcQ3Q () mail ! gmail ! com
[Download RAW message or body]


Description:

Information Exposure vulnerability in context asset handling of Apache
Tapestry allows an attacker to download files inside WEB-INF if using a
specially-constructed URL.  This was caused by an incomplete fix for
CVE-2020-13953.  This issue affects Apache Tapestry Apache Tapestry 5.4.0
version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache
Tapestry 5.7.1.

Solution:

For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4

For Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2

************ Problem Description ************

An Information Disclosure due to insufficient input validation exists

in Apache Tapestry 5.6.1 and later (latest)

A recent patch for CVE-2020-13953

(
https://github.com/apache/tapestry-5/commit/cf1912291af9146ee86a4aef471ae2ab31d3a28b
)

fails to account for the backslash character in the filtering regex

An attacker is therefore able to list and download web app files from

the WEB-INF and META-INF directory using a crafted payload.

Credit:

This vulnerability was discovered by Kc Udonsi of Trend Micro

-- 
Thiago


[prev in list] [next in list] [prev in thread] [next in thread]