CVE-2023-49735

2023-11-3022:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve-2023-49735

ssrf

xxe

defaultlocaleresolver

path traversal

xml

apache tiles

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

23.3%

JSON

UNSUPPORTED WHEN ASSIGNED

The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the ‘tiles-test’ application shipped with Tiles.

This issue affects Apache Tiles from version 2 onwards.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Affected configurations

Vulners

NVD

Node

apachetilesRange≤2.0.0

CPENameOperatorVersion
apache:tilesapache tileseq*

CPE	Name	Operator	Version
apache:tiles	apache tiles	eq	*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Apache Tiles",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "*",
        "status": "affected",
        "version": "2.0.0",
        "versionType": "semver"
      }
    ]
  }
]