CVE-2019-0207

CWE-22 — Path Traversal4 documents4 sources

Severity

7.5HIGH

EPSS

1.4%

top 19.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tapestry Apache Apache Tapestry

Timeline

PublishedSep 16

Latest updateNov 18

Description

Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.apache.tapestry:tapestry-core5.4.0 — 5.4.5

▶NVDapache/tapestry5.4.0 — 5.4.4

▶CVEListV5apache/apache_tapestryApache Tapestry 5.4.0 to 5.4.4

🔴Vulnerability Details

OSV

Path traversal attack on Windows platforms↗2019-11-18

▶

GHSA

Path traversal attack on Windows platforms↗2019-11-18

▶

CVEList

CVE-2019-0207: Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the charac↗2019-09-16

▶