GHSA-89r3-rcpj-h7w6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-89r3-rcpj-h7w6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-89r3-rcpj-h7w6/GHSA-89r3-rcpj-h7w6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-89r3-rcpj-h7w6
- Aliases
- Published
- 2019-11-18T17:19:03Z
- Modified
- 2023-11-08T04:00:31.355832Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Path traversal attack on Windows platforms
- Details
-
Tapestry processes assets
/assets/ctxusing classes chainStaticFilesFilter -> AssetDispatcher -> ContextResource, which doesn't filter the character\, so attacker can perform a path traversal attack to read any files on Windows platform. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2019-11-18T14:18:47Z", "nvd_published_at": "2019-09-16T17:15:00Z", "severity": "HIGH", "cwe_ids": [ "CWE-22" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-0207
- https://lists.apache.org/thread.html/765be3606d865de513f6df9288842c3cf58b09a987c617a535f2b99d@%3Cusers.tapestry.apache.org%3E
- https://lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c@%3Cusers.tapestry.apache.org%3E
- https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c@%3Ccommits.tapestry.apache.org%3E
- https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843@%3Ccommits.tapestry.apache.org%3E
Affected packages
Maven / org.apache.tapestry:tapestry-core
Package
- Name
- org.apache.tapestry:tapestry-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.apache.tapestry/tapestry-core