CVE-2019-0195

CRITICAL

Apache Tapestry 5.4.0-5.4.2 and 5.4.0-5.4.4 - Remote Code Execution via Classpath Asset File URL Manipulation

Title source: llm
STIX 2.1

Description

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.

References (7)

Core 7
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/04/15/1

Scores

CVSS v3 9.8
EPSS 0.1552
EPSS Percentile 94.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (2)
apache/tapestry 5.4.0 - 5.4.3
org.apache.tapestry/tapestry-core 5.4.0 - 5.4.5Maven
Published Sep 16, 2019
Tracked Since Feb 18, 2026