CVE-2021-30638

An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later

Description

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Remediation

Workaround:

Solution: For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4 For Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2

References

Link	Tags
https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E	vendor advisory mailing list
http://www.openwall.com/lists/oss-security/2021/04/27/3	third party advisory mailing list
https://www.zerodayinitiative.com/advisories/ZDI-21-491/	third party advisory vdb entry
https://security.netapp.com/advisory/ntap-20210528-0004/	third party advisory

Frequently Asked Questions

What is the severity of CVE-2021-30638?: CVE-2021-30638 has been scored as a high severity vulnerability.
How to fix CVE-2021-30638?: As a workaround for remediating CVE-2021-30638: Solution: For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4 For Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2
Is CVE-2021-30638 being actively exploited in the wild?: It is possible that CVE-2021-30638 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-30638?: CVE-2021-30638 affects Apache Software Foundation Apache Tapestry.

Description

Remediation

Categories

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

CWE-863 – Incorrect Authorization

References

Frequently Asked Questions