[CVE-2022-31781] Apache Tapestry denial of service vulnerability

["Thiago H. de Paula Figueiredo" <thiagohp () gmail com>]

Regular Expression Denial of Service (ReDoS) in ContentType.java.
(GHSL-2022-022) (CVE-2022-31781)

PRODUCT AFFECTED:

This issue affects Apache Tapestry 5.8.1.

PROBLEM:

Severity: low

Apache Tapestry up to version 5.8.1 is vulnerable to Regular
Expression Denial of Service (ReDoS) in the way it handles Content
Types. Specially crafted Content Types may cause catastrophic
backtracking, taking exponential time to complete.

Specifically, this is about the regular expression used on the
parameter of the org.apache.tapestry5.http.ContentType class.

Apache Tapestry 5.8.2 has a fix for this vulnerability.

Notice the vulnerability cannot be triggered by web requests in
Tapestry code alone. It would only happen if there's some non-Tapestry
codepath passing some outside input to the ContentType class
constructor.

This issue has been assigned CVE-2022-31781.

MODIFICATION HISTORY:

: Initial Publication.

RELATED LINKS:

CVE-2022-31781 at cve.mitre.org

ACKNOWLEDGEMENTS:

CodeQL team members [@atorralba (Tony
Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph
Farebrother)](https://github.com/joefarebrother).