Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
668
VMScore

CVE-2019-0195

Published: 16/09/2019 Updated: 07/11/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tapestry

Mailing Lists

Full Disclosure: CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195
Description: A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry The affected versions include 545, 550, 562 and 570 The vulnerability I have found is a bypass of the fix for CVE-2019-0195 Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class ...
Full Disclosure: [CVE-2019-0195] Apache Tapestry vulnerability disclosure
CVE-2019-0195: File reading Leads Java Deserialization Vulnerability Severity: important Vendor: The Apache Software Foundation Versions affected: all Apache Tapestry versions between 540, including its betas, and 543 Description: Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have ...

References

CWE-502http://www.openwall.com/lists/oss-security/2021/04/15/1https://lists.apache.org/thread.html/5173c4eed06e2fca6fd5576ed723ff6bb1711738ec515cb51a04ab24%40%3Cusers.tapestry.apache.org%3Ehttps://lists.apache.org/thread.html/a4092cb3bacb143571024e79c0016c039b6c982423daa33a7a5c794a%40%3Cusers.tapestry.apache.org%3Ehttps://lists.apache.org/thread.html/6c40c1e03d2131119f9b77882431a0050f02bf9cae9ee48b84d012df%40%3Cusers.tapestry.apache.org%3Ehttps://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843%40%3Ccommits.tapestry.apache.org%3Ehttps://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c%40%3Ccommits.tapestry.apache.org%3Ehttps://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3Ehttps://nvd.nist.govhttp://seclists.org/oss-sec/2021/q2/23
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-5324path traversalCVE-2024-4743CVE-2024-5184TCPCVE-2024-27822code injectionCVE-2024-28995CVE-2023-20938
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook