Tapestry5.4.5: 9 vulnerabilities (highest severity is: 9.8)

[dev-mend-for-github-com]

Vulnerable Library - Tapestry5.4.5

Library home page: https://github.com/mvali95/Tapestry.git

Vulnerable Source Files (2)

/quickstart/src/main/resources/archetype-resources/src/main/webapp/mybootstrap/js/collapse.js
/quickstart/src/main/resources/archetype-resources/src/main/webapp/mybootstrap/js/collapse.js

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (Tapestry5.4.5 version)	Remediation Possible**	Reachability
CVE-2021-27850	Critical	9.8	Tapestry5.4.5	Direct	org.apache.tapestry:tapestry-core:5.6.3,5.7.1	❌
CVE-2019-0195	Critical	9.8	Tapestry5.4.5	Direct	org.apache.tapestry:tapestry-core:5.6.3,5.7.1	❌
CVE-2021-30638	High	7.5	Tapestry5.4.5	Direct	org.apache.tapestry:tapestry-core: 5.6.4, 5.7.2	❌
CVE-2020-13953	Medium	5.3	Tapestry5.4.5	Direct	org.apache.tapestry:tapestry-core:5.6.0	❌
CVE-2018-20677	Low	3.7	detected in multiple dependencies	Direct	Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0	❌
CVE-2018-20676	Low	3.7	detected in multiple dependencies	Direct	bootstrap - 3.4.0	❌
CVE-2018-14042	Low	3.7	detected in multiple dependencies	Direct	org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0	❌
CVE-2018-14040	Low	3.7	detected in multiple dependencies	Direct	org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0	❌
CVE-2016-10735	Low	3.7	detected in multiple dependencies	Direct	bootstrap - 3.4.0, 4.0.0-beta.2	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-27850

Vulnerable Library - Tapestry5.4.5

Library home page: https://github.com/mvali95/Tapestry.git

Found in base branch: master

Vulnerable Source Files (1)

/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java

Vulnerability Details

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file AppModule.class by requesting the URL http://localhost:8080/assets/something/services/AppModule.class which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with .class, .properties or .xml. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a / at the end of the URL: http://localhost:8080/assets/something/services/AppModule.class/ The slash is stripped after the blacklist check and the file AppModule.class is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

Publish Date: 2021-04-15

URL: CVE-2021-27850

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E

Release Date: 2021-04-15

Fix Resolution: org.apache.tapestry:tapestry-core:5.6.3,5.7.1

CVE-2019-0195

Vulnerable Library - Tapestry5.4.5

Library home page: https://github.com/mvali95/Tapestry.git

Found in base branch: master

Vulnerable Source Files (1)

/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java

Vulnerability Details

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.

Publish Date: 2019-09-16

URL: CVE-2019-0195

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/TAP5-2663?src=confmacro

Release Date: 2019-09-16

Fix Resolution: org.apache.tapestry:tapestry-core:5.6.3,5.7.1

CVE-2021-30638

Vulnerable Library - Tapestry5.4.5

Library home page: https://github.com/mvali95/Tapestry.git

Found in base branch: master

Vulnerable Source Files (1)

/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ContextAssetRequestHandler.java

Vulnerability Details

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Publish Date: 2021-04-27

URL: CVE-2021-30638

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E

Release Date: 2021-04-27

Fix Resolution: org.apache.tapestry:tapestry-core: 5.6.4, 5.7.2

CVE-2020-13953

Vulnerable Library - Tapestry5.4.5

Library home page: https://github.com/mvali95/Tapestry.git

Found in base branch: master

Vulnerable Source Files (1)

/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java

Vulnerability Details

In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.

Publish Date: 2020-09-30

URL: CVE-2020-13953

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/TAP5-2632

Release Date: 2020-09-30

Fix Resolution: org.apache.tapestry:tapestry-core:5.6.0

CVE-2018-20677

Vulnerable Libraries - Tapestry5.4.5, Tapestry5.4.5

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

CVE-2018-20676

Vulnerable Libraries - Tapestry5.4.5, Tapestry5.4.5

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

CVE-2018-14042

Vulnerable Libraries - Tapestry5.4.5, Tapestry5.4.5

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

CVE-2018-14040

Vulnerable Libraries - Tapestry5.4.5, Tapestry5.4.5

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

CVE-2016-10735

Vulnerable Libraries - Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5, Tapestry5.4.5

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Mend Note: Converted from WS-2018-0021, on 2022-11-08.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2