CVE-2021-30638

CWE-200Information ExposureCWE-863Incorrect Authorization4 documents4 sources
Severity
7.5HIGH
EPSS
5.3%
top 9.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Software Foundation Apache TapestryApache Tapestry
Timeline
PublishedApr 27
Latest updateMar 18

Description

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/tapestry5.4.05.6.4+1
Mavenorg.apache.tapestry:tapestry-core5.4.05.6.4+1
CVEListV5apache_software_foundation/apache_tapestryApache TapestryApache Tapestry 5.6.4+1

🔴Vulnerability Details

3
GHSA
Information Exposure in Apache Tapestry2022-03-18
OSV
Information Exposure in Apache Tapestry2022-03-18
CVEList
An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later2021-04-27
CVE-2021-30638 (HIGH CVSS 7.5) | Information Exposure vulnerability | cvebase.io