CVE-2021-30638

CVSS v3.1 7.5 (High)

CVSS v2.0 5 (Medium)

EPSS 0.66 % (80^th)

Affected Products 1

Advisories 1

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

Weaknesses

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-863: Incorrect Authorization

Related CVEs

CVE-2020-13953

CVE Status: PUBLISHED
CNA: Apache Software Foundation
Published Date: 2021-04-27 19:15:07
(3 years ago)
Updated Date: 2022-10-27 12:42:54
(23 months ago)

Affected Products

Apache

Tapestry

Configuration #1

		CPE23	From	Up To
	Apache Tapestry from 5.4.0 version and prior 5.6.4 version	cpe:2.3:a:apache:tapestry	>= 5.4.0	< 5.6.4
	Apache Tapestry from 5.7.0 version and prior 5.7.2 version	cpe:2.3:a:apache:tapestry	>= 5.7.0	< 5.7.2