oss-sec mailing list archives
[CVE-2020-13953] Apache Tapestry WEB-INF file download vulnerability
From: "Thiago H. de Paula Figueiredo" <thiagohp () gmail com>
Date: Sat, 26 Sep 2020 16:44:15 -0300
CVE-2020-13953: Apache Tapestry: URL manipulation allows Java webapp files inside WEB-INF to be listed and downloaded. Vendor: The Apache Software Foundation Versions Affected: Tapestry 5.4.0 to 5.5.0 Description: Crafting specific URLs, an attacker can download files inside the WEB-INF folder. Mitigation: Upgrade to Apache Tapestry 5.6.0 or later. Credit: This issue was discovered by Thomas Moore. References: https://tapestry.apache.org/security.html -- Thiago
Current thread:
- [CVE-2020-13953] Apache Tapestry WEB-INF file download vulnerability Thiago H. de Paula Figueiredo (Sep 26)