Apache Software Foundation Apache Tapestry vulnerabilities

CVE-2022-46366 [CRITICAL] CWE-502 Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input Apache Tapestry prior to version 4 (EOL) allows RCE though deserialization of untrusted input Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version l

CVE-2022-31781 [HIGH] CWE-1333 CVE-2022-31781: Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.Conte

CVE-2021-30638 [MEDIUM] CWE-200 An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tape

CVE-2021-27850 [CRITICAL] CWE-200 Bypass of the fix for CVE-2019-0195 Bypass of the fix for CVE-2019-0195 A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.

CVE-2020-17531 [CRITICAL] CWE-502 CVE-2020-17531: A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5

CVE-2020-13953 [MEDIUM] CWE-552 CVE-2020-13953: In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files insid In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.

CVE-2019-0195 [CRITICAL] CWE-502 CVE-2019-0195: Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the clas Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack