Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.
References
Configurations
History
07 Nov 2023, 03:01
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2019-09-16 17:15
Updated : 2024-02-28 17:08
NVD link : CVE-2019-0207
Mitre link : CVE-2019-0207
CVE.ORG link : CVE-2019-0207
JSON object : View
Products Affected
apache
- tapestry
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')