In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.
{ "source": "CPE_RANGE", "cpe": "cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "5.4.0" }, { "fixed": "5.6.4" }, { "introduced": "5.7.0" }, { "fixed": "5.7.2" } ] }
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13953.json"