Apache Tiles: Unvalidated input may lead to path traversal and XXE

2023-12-0100:31:00

Google

osv.dev

apache tiles

unvalidated input

path traversal

xxe

defaultlocaleresolver

session

ssrf

xxe

user-controlled data

tiles-test

vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.1%

JSON

The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the ‘tiles-test’ application shipped with Tiles.

This issue affects Apache Tiles from version 2 onwards.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CPENameOperatorVersion
org.apache.tiles:tiles-coreeq2.0.1
org.apache.tiles:tiles-coreeq2.1.2
org.apache.tiles:tiles-coreeq2.2.2
org.apache.tiles:tiles-coreeq3.0.5
org.apache.tiles:tiles-coreeq3.0.8
org.apache.tiles:tiles-coreeq2.1.4
org.apache.tiles:tiles-coreeq3.0.4
org.apache.tiles:tiles-coreeq2.1.3
org.apache.tiles:tiles-coreeq3.0.1
org.apache.tiles:tiles-coreeq2.2.1

Name	Operator	Version
org.apache.tiles:tiles-core	eq	2.0.1
org.apache.tiles:tiles-core	eq	2.1.2
org.apache.tiles:tiles-core	eq	2.2.2
org.apache.tiles:tiles-core	eq	3.0.5
org.apache.tiles:tiles-core	eq	3.0.8
org.apache.tiles:tiles-core	eq	2.1.4
org.apache.tiles:tiles-core	eq	3.0.4
org.apache.tiles:tiles-core	eq	2.1.3
org.apache.tiles:tiles-core	eq	3.0.1
org.apache.tiles:tiles-core	eq	2.2.1