CVE-2020-13953

CWE-552Files Accessible to External PartiesCWE-200Information ExposureCWE-863Incorrect Authorization5 documents4 sources
Severity
5.3MEDIUM
EPSS
1.8%
top 17.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache TapestryApache Tapestry
Timeline
PublishedSep 30
Latest updateMar 18

Description

In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

NVDapache/tapestry5.4.05.6.4+1
Mavenorg.apache.tapestry:tapestry-core5.4.05.6.0
CVEListV5apache_software_foundation/apache_tapestryApache TapestryApache Tapestry 5.6.4+1
CVEListV5apache_tapestryApache Tapestry from 5.4.0 to 5.5.0

🔴Vulnerability Details

4
GHSA
Information Exposure in Apache Tapestry2022-03-18
GHSA
Improper file downloads in Apache Tapestry2022-02-10
OSV
Improper file downloads in Apache Tapestry2022-02-10
CVEList
CVE-2020-13953: In Apache Tapestry from 52020-09-30
CVE-2020-13953 (MEDIUM CVSS 5.3) | In Apache Tapestry from 5.4.0 to 5. | cvebase.io