Deserialization of Untrusted Data in Apache Tapestry
Critical severity
GitHub Reviewed
Published
May 24, 2022
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
>= 5.4.0, < 5.4.5
Patched versions
5.4.5
Description
Published by the National Vulnerability Database
Sep 16, 2019
Published to the GitHub Advisory Database
May 24, 2022
Reviewed
Nov 3, 2022
Last updated
Feb 1, 2023
By manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.
References