Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Apache Tapestry 5.4.0 < 5.6.3, 5.7.0 < 5.7.1 RCE Vulnerability - Active Check
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
Apache Tapestry is prone to a remote code execution (RCE) vulnerability.
Insight
Insight
An unauthenticated remote code execution vulnerability was found in Apache Tapestry. The vulnerability is a bypass of the fix for CVE-2019-0195. Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file 'AppModule.class' by requesting the path '/assets/something/services/AppModule.class' which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with '.class', '.properties' or '.xml'. Unfortunately, the blacklist solution can simply be bypassed by appending a '/' at the end of the path: '/assets/something/services/AppModule.class/' The slash is stripped after the blacklist check and the file 'AppModule.class' is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial).
Affected Software
Affected Software
Apache Tapestry version 5.4.0 through 5.6.2 and 5.7.0.
Detection Method
Detection Method
Sends a crafted HTTP GET request and checks the response.
Solution
Solution
Update to version 5.6.3, 5.7.1 or later.