Skip to main content

Tapestry

10 CVEs product

Monthly

CVE-2022-46366 Maven CRITICAL PATCH Act Now

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Deserialization Tapestry
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2022-31781 Maven HIGH PATCH This Week

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Apache Tapestry
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2021-30638 Maven HIGH PATCH This Week

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Tapestry
NVD
CVSS 3.1
7.5
EPSS
6.6%
CVE-2021-27850 Maven CRITICAL POC PATCH THREAT Act Now

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Information Disclosure Java Tapestry
NVD
CVSS 3.1
9.8
EPSS
94.1%
CVE-2020-17531 Maven CRITICAL PATCH Act Now

A Java Serialization vulnerability was found in Apache Tapestry 4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization Tapestry
NVD
CVSS 3.1
9.8
EPSS
9.7%
CVE-2020-13953 Maven MEDIUM PATCH This Month

In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Information Disclosure Tapestry
NVD
CVSS 3.1
5.3
EPSS
2.7%
CVE-2019-10071 Maven CRITICAL PATCH Act Now

The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Tapestry
NVD
CVSS 3.1
9.8
EPSS
8.8%
CVE-2019-0207 Maven HIGH PATCH This Week

Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Microsoft Tapestry
NVD
CVSS 3.1
7.5
EPSS
3.1%
CVE-2019-0195 Maven CRITICAL PATCH Act Now

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Deserialization Tapestry
NVD
CVSS 3.1
9.8
EPSS
14.9%
CVE-2014-1972 Maven HIGH PATCH This Week

Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Denial Of Service Apache Tapestry
NVD
CVSS 2.0
7.8
EPSS
8.8%
EPSS 4% CVSS 9.8
CRITICAL PATCH Act Now

Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Apache Deserialization +1
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Apache Tapestry
NVD
EPSS 7% CVSS 7.5
HIGH PATCH This Week

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Tapestry
NVD
EPSS 94% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Apache Information Disclosure +2
NVD
EPSS 10% CVSS 9.8
CRITICAL PATCH Act Now

A Java Serialization vulnerability was found in Apache Tapestry 4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Java Deserialization +1
NVD
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Path Traversal Information Disclosure +1
NVD
EPSS 9% CVSS 9.8
CRITICAL PATCH Act Now

The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Tapestry
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Microsoft Tapestry
NVD
EPSS 15% CVSS 9.8
CRITICAL PATCH Act Now

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Deserialization Tapestry
NVD
EPSS 9% CVSS 7.8
HIGH PATCH This Week

Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.

RCE Denial Of Service Apache +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy