CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2021-30638

HIGH
7.5
CVSS Severity Score
EPSS Score0.1410%
EPSS Percentile16.64th
Published2021年4月27日
Last Modified2024年11月21日

Vulnerability Description

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Affected Platforms (CPE)

📦
Apache

Tapestry

>= 5.4.0 and < 5.6.4
📦
Apache

Tapestry

>= 5.7.0 and < 5.7.2

References & Advisories

🔗 http://www.openwall.com/lists/oss-security/2021/04/27/3
🔗 https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
🔗 https://security.netapp.com/advisory/ntap-20210528-0004/
🔗 https://www.zerodayinitiative.com/advisories/ZDI-21-491/
🔗 http://www.openwall.com/lists/oss-security/2021/04/27/3
🔗 https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
🔗 https://security.netapp.com/advisory/ntap-20210528-0004/
🔗 https://www.zerodayinitiative.com/advisories/ZDI-21-491/

相關漏洞威脅

CVE-2020-175319.8

A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" paramete...

CVE-2021-278509.8

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected vers...

CVE-2014-19727.8

Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which ...

CVE-2019-02077.5

Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn...