QwikSec

Security Database

CVE

CWE

Training

CVE-2021-30638

Published: Apr 27, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Vendor	Product	Versions
Apache Software Foundation	Apache Tapestry	affected `Apache Tapestry - < Apache Tapestry 5.6.4` affected `Apache Tapestry - < Apache Tapestry 5.7.2`

Weaknesses (CWE)

References

https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E

x_refsource_MISC

[oss-security] 20210427 CVE-2021-30638: An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later

mailing-list

x_refsource_MLIST

https://www.zerodayinitiative.com/advisories/ZDI-21-491/

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210528-0004/

x_refsource_CONFIRM

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.