{"containers": {"cna": {"affected": [{"product": "Apache Tapestry", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache Tapestry 5.5.0"}, {"status": "affected", "version": "Apache Tapestry 5.7.0"}, {"lessThan": "Apache Tapestry 5.4.0*", "status": "affected", "version": "Apache Tapestry 5.4.5", "versionType": "custom"}, {"lessThan": "Apache Tapestry 5.6.0*", "status": "affected", "version": "Apache Tapestry 5.6.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache Tapestry would like to thank Johannes Moritz for finding and notifying this vulnerability"}], "descriptions": [{"lang": "en", "value": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Information Exposure", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-28T09:06:12", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E"}, {"name": "[oss-security] 20210414 CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2021/04/15/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210528-0002/"}], "source": {"defect": ["TAP5-2663"], "discovery": "UNKNOWN"}, "title": "Bypass of the fix for CVE-2019-0195", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-27850", "STATE": "PUBLIC", "TITLE": "Bypass of the fix for CVE-2019-0195"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Tapestry", "version": {"version_data": [{"version_affected": ">=", "version_name": "Apache Tapestry 5.4.0", "version_value": "Apache Tapestry 5.4.5"}, {"version_affected": "=", "version_name": "Apache Tapestry 5.5.0", "version_value": "Apache Tapestry 5.5.0"}, {"version_affected": ">=", "version_name": "Apache Tapestry 5.6.0", "version_value": "Apache Tapestry 5.6.2"}, {"version_affected": "=", "version_name": "Apache Tapestry 5.7.0", "version_value": "Apache Tapestry 5.7.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache Tapestry would like to thank Johannes Moritz for finding and notifying this vulnerability"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200 Information Exposure"}]}, {"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E"}, {"name": "[oss-security] 20210414 CVE-2021-27850: Apache Tapestry: Bypass of the fix for CVE-2019-0195", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/04/15/1"}, {"name": "https://security.netapp.com/advisory/ntap-20210528-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210528-0002/"}]}, "source": {"defect": ["TAP5-2663"], "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-27850", "datePublished": "2021-04-15T07:40:11", "dateReserved": "2021-03-01T00:00:00", "dateUpdated": "2021-05-28T09:06:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*", "matchCriteriaId": "5611789E-E882-49FF-9E33-A8612A394FE5", "versionEndExcluding": "5.6.2", "versionStartIncluding": "5.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*", "matchCriteriaId": "4709FF63-6606-413B-941E-3E58DDA96203", "versionEndExcluding": "5.7.1", "versionStartIncluding": "5.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad cr\u00edtica de ejecuci\u00f3n de c\u00f3digo remota no autenticado en todas las versiones recientes de Apache Tapestry. Las versiones afectadas incluyen 5.4.5, 5.5.0, 5.6.2 y 5.7.0. La vulnerabilidad encontrada es un desv\u00edo de la soluci\u00f3n para CVE-2019-0195. Resumen: versiones anteriores a correcci\u00f3n de CVE-2019-0195, era posible descargar archivos de clases arbitrarios desde la ruta de clases proporcionando una URL de archivo de activos dise\u00f1ada. Un atacante pudo descargar el archivo \"AppModule.class\" al requerir la URL \"http://localhost:8080/assets/something/services/AppModule.class\" que contiene una clave secreta HMAC. La correcci\u00f3n para ese error fue un filtro de lista negra que verifica si la URL termina con \".class\",\" properties\" o \".xml\". Omitir: Desafortunadamente, la soluci\u00f3n de lista negra puede simplemente ser omitida al agregar un \"/` al final de la URL: \"http: // localhost:8080/assets/something/services/AppModule.class/\". La barra es eliminada despu\u00e9s de la comprobaci\u00f3n de la lista negra y el archivo` AppModule.class` se carga en la respuesta. Esta clase generalmente contiene la clave secreta HMAC que es usada para firmar objetos Java serializados. Con el conocimiento de esa clave, un atacante puede firmar una cadena de dispositivos Java que conlleva a una RCE (por ejemplo, CommonsBeanUtils1 de ysoserial). Soluci\u00f3n para esta vulnerabilidad: *Para Apache Tapestry versiones 5.4.0 hasta 5.6.1, actualice a versiones 5.6.2 o posteriores. *Para Apache Tapestry versi\u00f3n 5.7.0, actualice a versiones 5.7.1 o posteriores"}], "id": "CVE-2021-27850", "lastModified": "2021-06-02T15:15:24.743", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-04-15T08:15:14.823", "references": [{"source": "security@apache.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/04/15/1"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210528-0002/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}

{}