Japan Vulnerability NotesJVN:17611367JVN#17611367: Apache Tapestry deserializes untrusted data
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.027 Low
EPSS
Percentile
90.5%
Apache Tapestry is a framework for creating Java web applications. Apache Tapestry contains an interface where client side serialized data sent to the server is deserialized after it is received by the server. This data serialization / deserialization process does not contain data validation. Therefore, if the serialized data is altered, the server will deserailze data without validating the data (CWE-502).
Impact
When specially crafted input is processed, arbitrary files may be written or arbitrary code may be executed on the application server.
Solution
Apply an Update
Update to the latest version according to the information provided by the developer.
Products Affected
Applications that are created using the following versions are affected:
- Apache Tapestry 5.0.x (all versions)
- Apache Tapestry 5.1.x (all versions)
- Apache Tapestry 5.2.x (all versions)
- Apache Tapestry 5.3 to 5.3.5
According to the developer, unsupported versions of Tapestry, 3.x and 4.x versions may be affected by this issue.
Related
7.8 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
0.027 Low
EPSS
Percentile
90.5%