CVE - CVE-2019-10071

CVE-ID
CVE-2019-10071	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[tapestry-commits] 20200111 svn commit: r1055136 [2/2] - in /websites/production/tapestry/content: cache/main.pageCache component-rendering.html content-type-and-markup.html dom.html https.html request-processing.html response-compression.html security.html url-rewriting.html URL:https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843@%3Ccommits.tapestry.apache.org%3E MLIST:[tapestry-commits] 20200531 svn commit: r1061326 [4/4] - in /websites/production/tapestry/content: ./ cache/ URL:https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c@%3Ccommits.tapestry.apache.org%3E MLIST:[tapestry-users] 20190913 CVE-2019-10071: Apache Tapestry vulnerability disclosure URL:https://lists.apache.org/thread.html/6e8f42c88da7be3c60aafe3f6a85eb00b4f8b444de26b38d36233a43@%3Cusers.tapestry.apache.org%3E MLIST:[tapestry-users] 20191007 Re: CVE-2019-10071: Apache Tapestry vulnerability disclosure URL:https://lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c@%3Cusers.tapestry.apache.org%3E MLIST:[tapestry-users] 20191014 Re: CVE-2019-10071: Apache Tapestry vulnerability disclosure URL:https://lists.apache.org/thread.html/7a437dad5af7309aba4d01bfc2463b3ac34e6aafaa565381d3a36460@%3Cusers.tapestry.apache.org%3E
Assigning CNA
Apache Software Foundation
Date Record Created
20190326	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190326)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)