Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS02bXdoLWZ3NHAtNzVmas4AAq4m

Deserialization of Untrusted Data in Apache Tapestry

By manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.

Permalink: https://github.com/advisories/GHSA-6mwh-fw4p-75fj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02bXdoLWZ3NHAtNzVmas4AAq4m
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-6mwh-fw4p-75fj, CVE-2019-0195
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-0195
• https://lists.apache.org/thread.html/5173c4eed06e2fca6fd5576ed723ff6bb1711738ec515cb51a04ab24@%3Cusers.tapestry.apache.org%3E
• https://lists.apache.org/thread.html/6c40c1e03d2131119f9b77882431a0050f02bf9cae9ee48b84d012df@%3Cusers.tapestry.apache.org%3E
• https://lists.apache.org/thread.html/a4092cb3bacb143571024e79c0016c039b6c982423daa33a7a5c794a@%3Cusers.tapestry.apache.org%3E
• https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751@%3Cusers.tapestry.apache.org%3E
• https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c@%3Ccommits.tapestry.apache.org%3E
• https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843@%3Ccommits.tapestry.apache.org%3E
• http://www.openwall.com/lists/oss-security/2021/04/15/1
• https://github.com/advisories/GHSA-6mwh-fw4p-75fj

Blast Radius: 28.3

Affected Packages