CVE - CVE-2019-0195

CVE-ID
CVE-2019-0195	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MLIST:[oss-security] 20210414 CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195 URL:http://www.openwall.com/lists/oss-security/2021/04/15/1 MLIST:[tapestry-commits] 20200111 svn commit: r1055136 [2/2] - in /websites/production/tapestry/content: cache/main.pageCache component-rendering.html content-type-and-markup.html dom.html https.html request-processing.html response-compression.html security.html url-rewriting.html URL:https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843@%3Ccommits.tapestry.apache.org%3E MLIST:[tapestry-commits] 20200531 svn commit: r1061326 [4/4] - in /websites/production/tapestry/content: ./ cache/ URL:https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c@%3Ccommits.tapestry.apache.org%3E MLIST:[tapestry-users] 20190913 [CVE-2019-0195] Apache Tapestry vulnerability disclosure URL:https://lists.apache.org/thread.html/5173c4eed06e2fca6fd5576ed723ff6bb1711738ec515cb51a04ab24@%3Cusers.tapestry.apache.org%3E MLIST:[tapestry-users] 20191007 Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure URL:https://lists.apache.org/thread.html/a4092cb3bacb143571024e79c0016c039b6c982423daa33a7a5c794a@%3Cusers.tapestry.apache.org%3E MLIST:[tapestry-users] 20191014 Re: [CVE-2019-0195] Apache Tapestry vulnerability disclosure URL:https://lists.apache.org/thread.html/6c40c1e03d2131119f9b77882431a0050f02bf9cae9ee48b84d012df@%3Cusers.tapestry.apache.org%3E MLIST:[tapestry-users] 20210414 [SECURITY VULNERABILITY DISCLOSURE] CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195 URL:https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751@%3Cusers.tapestry.apache.org%3E
Assigning CNA
Apache Software Foundation
Date Record Created
20181114	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20181114)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)