Vulnerabilities > Apache > Tapestry

DATE CVE VULNERABILITY TITLE RISK
2022-12-02 CVE-2022-46366 Unspecified vulnerability in Apache Tapestry
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution.
network
low complexity
apache
critical
9.8
2022-07-13 CVE-2022-31781 Unspecified vulnerability in Apache Tapestry
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types.
network
low complexity
apache
7.5
2021-04-27 CVE-2021-30638 Incorrect Authorization vulnerability in Apache Tapestry
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL.
network
low complexity
apache CWE-863
7.5
2021-04-15 CVE-2021-27850 Deserialization of Untrusted Data vulnerability in Apache Tapestry
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry.
network
low complexity
apache CWE-502
critical
9.8
2020-12-08 CVE-2020-17531 Unspecified vulnerability in Apache Tapestry
A Java Serialization vulnerability was found in Apache Tapestry 4.
network
low complexity
apache
critical
9.8
2020-09-30 CVE-2020-13953 Files or Directories Accessible to External Parties vulnerability in Apache Tapestry
In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.
network
low complexity
apache CWE-552
5.3
2019-09-16 CVE-2019-10071 Information Exposure Through Discrepancy vulnerability in Apache Tapestry 5.4.0
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures.
network
low complexity
apache CWE-203
critical
9.8
2019-09-16 CVE-2019-0207 Path Traversal vulnerability in Apache Tapestry 5.4.0
Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.
network
low complexity
apache CWE-22
7.5
2019-09-16 CVE-2019-0195 Deserialization of Untrusted Data vulnerability in Apache Tapestry 5.4.0
Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded.
network
low complexity
apache CWE-502
critical
9.8