{"id": "CVE-2019-10071", "bulletinFamily": "NVD", "title": "CVE-2019-10071", "description": "The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.", "published": "2019-09-16T18:15:00", "modified": "2020-05-31T18:15:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10071", "reporter": "cve@mitre.org", "references": ["https://lists.apache.org/thread.html/6e8f42c88da7be3c60aafe3f6a85eb00b4f8b444de26b38d36233a43@%3Cusers.tapestry.apache.org%3E", "https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c@%3Ccommits.tapestry.apache.org%3E", "https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843@%3Ccommits.tapestry.apache.org%3E", "https://lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c@%3Cusers.tapestry.apache.org%3E", "https://lists.apache.org/thread.html/7a437dad5af7309aba4d01bfc2463b3ac34e6aafaa565381d3a36460@%3Cusers.tapestry.apache.org%3E"], "cvelist": ["CVE-2019-10071"], "type": "cve", "lastseen": "2020-12-09T21:41:37", "edition": 10, "viewCount": 90, "enchantments": {"dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-33159"]}, {"type": "github", "idList": ["GHSA-FGMR-VX7C-5WJ6"]}], "modified": "2020-12-09T21:41:37", "rev": 2}, "score": {"value": 2.2, "vector": "NONE", "modified": "2020-12-09T21:41:37", "rev": 2}, "vulnersScore": 2.2}, "cpe": ["cpe:/a:apache:tapestry:5.4.3"], "affectedSoftware": [{"cpeName": "apache:tapestry", "name": "apache tapestry", "operator": "le", "version": "5.4.3"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": ["cpe:2.3:a:apache:tapestry:5.4.3:*:*:*:*:*:*:*"], "cwe": ["CWE-20"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:apache:tapestry:5.4.3:*:*:*:*:*:*:*", "versionEndIncluding": "5.4.3", "versionStartIncluding": "5.4.0", "vulnerable": true}], "operator": "OR"}]}}

{"zdt": [{"lastseen": "2019-12-04T19:58:09", "description": "Exploit for java platform in category web applications", "edition": 1, "published": "2019-08-26T00:00:00", "title": "Apache Tapestry 5.3.6 HMAC Timing Attack Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-10071"], "modified": "2019-08-26T00:00:00", "id": "1337DAY-ID-33159", "href": "https://0day.today/exploit/description/33159", "sourceData": "CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry\r\n\r\nAffected versions:\r\n- Apache Tapestry 5.3.6 through current releases.\r\n\r\nDescription:\r\nApache Tapestry uses HMACs to verify the integrity of objects stored on the\r\nclient side. This was added to address the Java deserialization\r\nvulnerability\r\ndisclosed in CVE-2014-1972. In the fix for the previous vulnerability, the\r\nHMACs were compared by string comparison, which is known to be vulnerable to\r\ntiming attacks.\r\n\r\nMitigation:\r\nNo new release of Tapestry has occurred since the issue was reported.\r\nAffected\r\norganizations may want to consider locally applying commit\r\nd3928ad44714b949d247af2652c84dae3c27e1b1.\r\n\r\nTimeline:\r\n- 2019-03-12: Issue discovered.\r\n- 2019-03-13: Issue reported to [email\u00a0protected]\r\n- 2019-03-29: Pinged thread to ask for update.\r\n- 2019-04-19: Fix committed.\r\n- 2019-04-23: Asked about release timeline, response \"in the upcoming\r\nmonths\"\r\n- 2019-05-28: Pinging again about release.\r\n- 2019-06-24: Asked again, asked for CVE number assigned. No update on\r\n timeline.\r\n- 2019-08-22: Disclosure posted.\r\n\r\nThis vulnerability was discovered by David Tomaschik of the Google Security\r\nTeam.\r\n\r\n-- \r\nDavid Tomaschik\r\nSecurity Engineer\r\nISA Assessments\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33159"}], "github": [{"lastseen": "2020-06-01T22:39:15", "bulletinFamily": "software", "cvelist": ["CVE-2019-10071"], "description": "The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.", "edition": 3, "modified": "2020-06-01T19:32:38", "published": "2019-09-26T21:30:34", "id": "GHSA-FGMR-VX7C-5WJ6", "href": "https://github.com/advisories/GHSA-fgmr-vx7c-5wj6", "title": "Timing attack on HMAC signature comparison in Apache Tapestry", "type": "github", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}