tapestry-core is vulnerable to remote code execution. Access to the classpath asset files is not restricted, allowing an attacker to guess the path to a known file in the classpath and retrieve the contents. It can also potentially allow the attacker to perform a Java serialization attack if the value of tapestry.hmac-passphrase
configuration symbol is found. This CVE exists due to a bypass of the fix for CVE-2019-0195.
CPE | Name | Operator | Version |
---|---|---|---|
tapestry-core | eq | 5.7.0 | |
tapestry-core | le | 5.6.2 |