CVE-2020-17531

CRITICAL

Apache Tapestry 4 - Deserialization

Title source: llm

Description

A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.

Exploits (1)

nomisec STUB

by 154802388 · poc

https://github.com/154802388/CVE-2020-17531

View Code ZIP pw:eip

References (3)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2022/12/02/1

[Mailing List, Vendor Advisory] https://lists.apache.org/thread.html/r700a6aa234dbff0555d4187bdc8274d7e4c0afbf35b9a3457f09ee76%40%3Cusers.tapestry.apache.org%3E

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210115-0007/

Scores

CVSS v3 9.8

EPSS 0.3645

EPSS Percentile 97.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

apache/tapestry < 5.0.1

org.apache.tapestry/tapestry-project < 5.0.1Maven

Timeline

Published Dec 08, 2020

Tracked Since Feb 18, 2026