CVE-2021-30638
An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
Produtos afetados
Apache Software Foundation · Apache TapestryQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20210528-0004/https://www.zerodayinitiative.com/advisories/ZDI-21-491/http://www.openwall.com/lists/oss-security/2021/04/27/3