4 matches found
CVE-2019-10071
The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...
com.ganshane.lichen:lichen-creeper (>=0.5.9 <=0.5.10.2), com.ganshane.lichen:lichen-node (>=0.5.9 <=0.5.10.2) +45 more potentially affected by CVE-2019-10071 via org.apache.tapestry:tapestry-core (>=5.4-beta-22 <=5.4.4)
org.apache.tapestry:tapestry-core MAVEN version =5.4-beta-22, =0.5.9, =0.5.9, =0.5.9, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.92-RELEASE, =0.98 - de.julielab:julie-elastic-query-components =1.0.3 - de.julielab:julielab-elastic-query-components =1.2.0 -...
CVE-2019-10071
CVE-2019-10071 is an Apache Tapestry timing-attack vulnerability caused by using String.equals() to compare HMACs in form submissions. This creates a timing side channel that could let an attacker estimate the correct signature for a payload, potentially enabling remote code execution. Affected v...
Apache Tapestry 5.3.6 HMAC Timing Attack Vulnerability
Exploit for java platform in category web applications CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry Affected versions: - Apache Tapestry 5.3.6 through current releases. Description: Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side...