GHSA-6mwh-fw4p-75fj

Suggest an improvement
Source
https://github.com/advisories/GHSA-6mwh-fw4p-75fj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6mwh-fw4p-75fj/GHSA-6mwh-fw4p-75fj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6mwh-fw4p-75fj
Aliases
Published
2022-05-24T22:00:35Z
Modified
2023-11-08T04:00:30.919220Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Deserialization of Untrusted Data in Apache Tapestry
Details

By manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.

Database specific 
{
    "nvd_published_at": "2019-09-16T16:15:00Z",
    "github_reviewed_at": "2022-11-03T18:45:32Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Maven / org.apache.tapestry:tapestry-core

Package

Name
org.apache.tapestry:tapestry-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tapestry/tapestry-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.0
Fixed
5.4.5

Affected versions

5.*

5.4.0
5.4.1
5.4.2
5.4.3
5.4.4