==================================================================== CERT-Renater Note d'Information No. 2021/VULN255 _____________________________________________________________________ DATE : 30/04/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tapestry versions prior to 5.4.0. ===================================================================== http://mail-archives.apache.org/mod_mbox/tapestry-users/202104.mbox/%3cCAE_88GYRgfXRBDs-nKvvYr=FB3xeqoObcK46i4m36JKgWFOkzA@mail.gmail.com%3e _____________________________________________________________________ CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later Description: Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1. Solution: For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4 For Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2 ************ Problem Description ************ An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.6.1 and later (latest) A recent patch for CVE-2020-13953 ( https://github.com/apache/tapestry-5/commit/cf1912291af9146ee86a4aef471ae2ab31d3a28b ) fails to account for the backslash character in the filtering regex An attacker is therefore able to list and download web app files from the WEB-INF and META-INF directory using a crafted payload. Credit: This vulnerability was discovered by Kc Udonsi of Trend Micro -- Thiago ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================