====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN543
_____________________________________________________________________

DATE                : 28/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Tapestry versions prior to
                                             5.6.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/tapestry-users/202009.mbox/%3cCAE_88GbgOvwBTo1RFv5NUv2XPgQX2n9vaqPRjd8Qgqgb4pAU-w@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-13953: Apache Tapestry: URL manipulation allows Java webapp files
inside WEB-INF to be listed and downloaded.

Vendor:
The Apache Software Foundation

Versions Affected:
Tapestry 5.4.0 to 5.5.0

Description:
Crafting specific URLs, an attacker can download files inside the WEB-INF
folder.

Mitigation:
Upgrade to Apache Tapestry 5.6.0 or later.
Credit:
This issue was discovered by Thomas Moore.

References:
https://tapestry.apache.org/security.html

-- 
Thiago

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================