CVE-2014-1972

CWE-399 CWE-502 — Deserialization of Untrusted Data4 documents4 sources

Severity

7.8HIGH

EPSS

8.8%

top 7.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tapestry

Timeline

PublishedAug 22

Latest updateMay 13

Description

Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource consumption) or execute arbitrary code via crafted serialized data.

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages2 packages

▶Mavenorg.apache.tapestry:tapestry-core< 5.3.6

▶NVDapache/tapestry5.3.5

🔴Vulnerability Details

OSV

Apache Tapestry Unsafe Object Storage↗2022-05-13

▶

GHSA

Apache Tapestry Unsafe Object Storage↗2022-05-13

▶

CVEList

CVE-2014-1972: Apache Tapestry before 5↗2015-08-22

▶