Tapestry
CVE-2022-46366
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry.
AnalysisAI
Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Deserialization of Untrusted Data (CWE-502), which allows attackers to execute arbitrary code through malicious serialized objects. Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry version line 3.x, which is no longer supported by the maintainer. Users are recommended to upgrade to a supported version line of Apache Tapestry. Affected products include: Apache Tapestry.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid deserializing untrusted data. Use safe serialization formats (JSON). Implement integrity checks and type allowlists.
A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. Rated c
A Java Serialization vulnerability was found in Apache Tapestry 4. Rated critical severity (CVSS 9.8), this vulnerabilit
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side chan
Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it do
Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an obje
Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files ins
Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, w
In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder
Same weakness CWE-502 – Deserialization of Untrusted Data
View allShare
External POC / Exploit Code
Leaving vuln.today