oss-sec mailing list archives
CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability
From: "Thiago H. de Paula Figueiredo" <thiagohp () gmail com>
Date: Fri, 13 Sep 2019 11:25:20 -0300
CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability Severity: important Vendor: The Apache Software Foundation Versions affected: all Apache Tapestry versions between 5.4.0, including its betas, and 5.4.4 Description: Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform. Mitigation: Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x version. Credit: Ricter Zheng -- Thiago
Current thread:
- CVE-2019-0207: Apache Tapestry 5.4.2 Path Traversal vulnerability Thiago H. de Paula Figueiredo (Sep 13)