CVE-2020-17531

CWE-502 — Deserialization of Untrusted Data9 documents6 sources

Severity

9.8CRITICAL

EPSS

36.5%

top 2.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tapestry Apache Tapestry

Timeline

PublishedDec 8

Latest updateDec 2

Description

A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_tapestryApache Tapestry — 4.0.0+1

▶NVDapache/tapestry4.0.0 — 5.0.1

▶Mavenorg.apache.tapestry:tapestry-project4.0 — 5.0.1

🔴Vulnerability Details

GHSA

Apache Tapestry allows deserialization of untrusted data↗2022-12-02

▶

GHSA

Serialization vulnerability in Apache Tapestry↗2022-02-09

▶

OSV

Serialization vulnerability in Apache Tapestry↗2022-02-09

▶

OSV

jackson-databind vulnerabilities↗2021-03-15

▶

CVEList

Deserialization flaw in EOL Tapestry 4.↗2020-12-08

▶

📋Vendor Advisories

Red Hat

Tapestry: prior to version 4 (EOL) allows RCE though deserialization of untrusted input↗2022-12-02

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Build Request (jackson-databind) — CVE-2019-17531↗2020-10-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Security Framework (jackson-databind) — CVE-2019-17531↗2020-07-15

▶