CVE-2021-30638
Summary
| CVE | CVE-2021-30638 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-04-27 19:15:00 UTC |
| Updated | 2022-10-27 12:42:00 UTC |
| Description | Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1. |
Risk And Classification
Problem Types: CWE-863
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| oss-security - CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later | MLIST | www.openwall.com | |
| CVE-2021-30638 Apache Tapestry Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| ZDI-21-491 | Zero Day Initiative | MISC | www.zerodayinitiative.com | |
| Pony Mail! | MISC | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: This vulnerability was discovered by Kc Udonsi of Trend Micro
There are currently no legacy QID mappings associated with this CVE.