CVE-2019-0207

Summary

Tapestry processes assets /assets/ctx using classes chain StaticFilesFilter -> AssetDispatcher -> ContextResource, which doesn't filter the character \, so attacker can perform a path traversal attack to read any files on Windows platform.

Affected Software

VendorProductVersion RangeStatus
ApacheApache TapestryApache Tapestry 5.4.0 to 5.4.4affected

Weaknesses

  • Information Disclosure

ADP Enrichment

CVE Program Container

Additional References

References