Количество 2
Количество 2
CVE-2019-0195
Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.
GHSA-6mwh-fw4p-75fj
Deserialization of Untrusted Data in Apache Tapestry
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2019-0195 Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component. | CVSS3: 9.8 | 16% Средний | больше 6 лет назад |
| GHSA-6mwh-fw4p-75fj Deserialization of Untrusted Data in Apache Tapestry | CVSS3: 9.8 | 16% Средний | больше 3 лет назад |
Уязвимостей на страницу