Date: Sat, 26 Sep 2020 16:44:15 -0300 From: "Thiago H. de Paula Figueiredo" <thiagohp@...il.com> To: oss-security@...ts.openwall.com Subject: [CVE-2020-13953] Apache Tapestry WEB-INF file download vulnerability CVE-2020-13953: Apache Tapestry: URL manipulation allows Java webapp files inside WEB-INF to be listed and downloaded. Vendor: The Apache Software Foundation Versions Affected: Tapestry 5.4.0 to 5.5.0 Description: Crafting specific URLs, an attacker can download files inside the WEB-INF folder. Mitigation: Upgrade to Apache Tapestry 5.6.0 or later. Credit: This issue was discovered by Thomas Moore. References: https://tapestry.apache.org/security.html -- Thiago
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.