Closed dev-mend-for-github-com[bot] closed 9 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - tapestry-55.4.3
Library home page: https://github.com/scoffable/tapestry-5.git
Found in HEAD commit: aca16acc45f5f50f6a393f385ecf1826969eef4f
Vulnerable Source Files (2)
/quickstart/src/main/resources/archetype-resources/src/main/webapp/mybootstrap/js/collapse.js /quickstart/src/main/resources/archetype-resources/src/main/webapp/mybootstrap/js/collapse.js
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2019-0195
### Vulnerable Library - tapestry-55.4.3Library home page: https://github.com/scoffable/tapestry-5.git
Found in HEAD commit: aca16acc45f5f50f6a393f385ecf1826969eef4f
Found in base branch: master
### Vulnerable Source Files (1)/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
### Vulnerability DetailsManipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.
Publish Date: 2019-09-16
URL: CVE-2019-0195
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/TAP5-2663?src=confmacro
Release Date: 2019-09-16
Fix Resolution: org.apache.tapestry:tapestry-core:5.6.3,5.7.1
CVE-2021-27850
### Vulnerable Library - tapestry-55.4.3Library home page: https://github.com/scoffable/tapestry-5.git
Found in HEAD commit: aca16acc45f5f50f6a393f385ecf1826969eef4f
Found in base branch: master
### Vulnerable Source Files (1)/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
### Vulnerability DetailsA critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.
Publish Date: 2021-04-15
URL: CVE-2021-27850
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E
Release Date: 2021-04-15
Fix Resolution: org.apache.tapestry:tapestry-core:5.6.3,5.7.1
CVE-2021-30638
### Vulnerable Library - tapestry-55.4.3Library home page: https://github.com/scoffable/tapestry-5.git
Found in HEAD commit: aca16acc45f5f50f6a393f385ecf1826969eef4f
Found in base branch: master
### Vulnerable Source Files (1)/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ContextAssetRequestHandler.java
### Vulnerability DetailsInformation Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
Publish Date: 2021-04-27
URL: CVE-2021-30638
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
Release Date: 2021-04-27
Fix Resolution: org.apache.tapestry:tapestry-core: 5.6.4, 5.7.2
CVE-2018-14040
### Vulnerable Libraries - tapestry-55.4.3, tapestry-55.4.3In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
CVE-2018-20677
### Vulnerable Libraries - tapestry-55.4.3, tapestry-55.4.3In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
CVE-2018-14042
### Vulnerable Libraries - tapestry-55.4.3, tapestry-55.4.3In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2018-20676
### Vulnerable Libraries - tapestry-55.4.3, tapestry-55.4.3In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
CVE-2016-10735
### Vulnerable Libraries - tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3, tapestry-55.4.3In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-01-09
Fix Resolution: 3.4.0
CVE-2020-13953
### Vulnerable Library - tapestry-55.4.3Library home page: https://github.com/scoffable/tapestry-5.git
Found in HEAD commit: aca16acc45f5f50f6a393f385ecf1826969eef4f
Found in base branch: master
### Vulnerable Source Files (1)/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
### Vulnerability DetailsIn Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.
Publish Date: 2020-09-30
URL: CVE-2020-13953
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/TAP5-2632
Release Date: 2020-09-30
Fix Resolution: org.apache.tapestry:tapestry-core:5.6.0