<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2019-0195] Apache Tapestry vulnerability disclosure
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: "Thiago H. de Paula Figueiredo" <thiagohp () gmail com>
Date: Fri, 13 Sep 2019 11:19:05 -0300
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
CVE-2019-0195: File reading Leads Java Deserialization Vulnerability
Severity: important
Vendor: The Apache Software Foundation
Versions affected: all Apache Tapestry versions between 5.4.0, including
its betas, and 5.4.3
Description:
Manipulating classpath asset file URLs, an attacker could guess the path to
a known file in the classpath and have it downloaded. If the attacker found
the file with the value of the tapestry.hmac-passphrase configuration
symbol, most probably the webapp's AppModule class, the value of this
symbol could be used to craft a Java deserialization attack, thus running
malicious injected Java code. The vector would be the t:formdata parameter
from the Form component.
Mitigation:
Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
version.
Credit:
Ricter Zheng
--
Thiago H. de Paula Figueiredo
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2019-0195] Apache Tapestry vulnerability disclosure Thiago H. de Paula Figueiredo (Sep 13)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->