tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thiago H. de Paula Figueiredo" <thiag...@gmail.com>
Subject [CVE-2020-13953] Apache Tapestry WEB-INF file download vulnerability
Date Sat, 26 Sep 2020 19:13:24 GMT
CVE-2020-13953: Apache Tapestry: URL manipulation allows Java webapp files
inside WEB-INF to be listed and downloaded.

Vendor:
The Apache Software Foundation

Versions Affected:
Tapestry 5.4.0 to 5.5.0

Description:
Crafting specific URLs, an attacker can download files inside the WEB-INF
folder.

Mitigation:
Upgrade to Apache Tapestry 5.6.0 or later.

Credit:
This issue was discovered by Thomas Moore.

References:
https://tapestry.apache.org/security.html

-- 
Thiago

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message