org.apache.tapestry:tapestry-core
Maven9 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.apache.tapestry:tapestry-corepage 1 of 1
- CVE-2014-1972NONECVSS 0.0EG 0.0✓ Fixed in 5.3.62015-08-22
vulnerable: 5.0.1 ... 5.3.5 (38 versions)
Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource consumption) or execute arbitrary code via cra…
- CVE-2019-0195CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.4.52019-09-16
vulnerable: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4
Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most prob…
- CVE-2019-0207HIGHCVSS 7.5EG 7.5✓ Fixed in 5.4.52019-09-16
vulnerable: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4
Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows pla…
- CVE-2019-10071CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.4.52019-09-16
vulnerable: 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to deter…
- CVE-2020-13953MEDIUMCVSS 5.3EG 5.3✓ Fixed in 5.6.02020-09-30
vulnerable: 5.4.0 ... 5.5.0-beta-3 (8 versions)
In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.
- CVE-2021-27850CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.7.12021-04-15
vulnerable: 5.7.0
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-201…
- CVE-2021-30638HIGHCVSS 7.5EG 7.5✓ Fixed in 5.7.22021-04-27
vulnerable: 5.7.0, 5.7.1
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue a…
- CVE-2022-31781HIGHCVSS 7.5EG 7.5✓ Fixed in 5.8.22022-07-13
vulnerable: 5.0.1 ... 5.8.1 (66 versions)
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete…
- CVE-2022-46366CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.0.12022-12-02
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability …
Check whether org.apache.tapestry:tapestry-core is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.apache.tapestry:tapestry-core CVEs against the assets you own.
Start Free Scan →