Apache Tapestry vulnerabilities
2 known vulnerabilities affecting apache/apache_tapestry.
Total CVEs
2
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1
Vulnerabilities
Page 1 of 1
CVE-2019-10071CRITICALCVSS 9.8vApache Tapestry 5.4.0 to 5.4.32019-09-16
CVE-2019-10071 [CRITICAL] CWE-203 CVE-2019-10071: The code which checks HMAC in form submissions used String.equals() for comparisons, which results i
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm ins
cvelistv5nvd
CVE-2019-0207HIGHCVSS 7.5vApache Tapestry 5.4.0 to 5.4.42019-09-16
CVE-2019-0207 [HIGH] CWE-22 CVE-2019-0207: Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher ->
Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.
cvelistv5nvd