CVE-2020-17531
published 2020-12-08CVE-2020-17531: A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the…
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tapestry | >= 3.0.0 < 4.0.0 | 4.0.0 |
| apache | tapestry | >= 4.0.0 < 5.0.1 | 5.0.1 |
| apache_software_foundation | apache_tapestry | >= Apache Tapestry < 4.0.0 | 4.0.0 |
| fasterxml | jackson-databind | >= 0 < 2.4.2-3ubuntu0.1~esm2 | 2.4.2-3ubuntu0.1~esm2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL