CVE-2021-27850

CVE-2021-27850 is a critical, unauthenticated RCE affecting all recent Apache Tapestry versions up to 5.7.0. The issue is a bypass of the CVE-2019-0195 fix: an attacker can retrieve AppModule.class via crafted asset/file URLs, leaking the HMAC secret key used to sign serialized Java objects. The ...

CVE-2019-0195

CVE-2019-0195 describes a vulnerability in Apache Tapestry where an attacker can manipulate classpath asset file URLs to download known classpath files. If the attacker obtains the value of the tapestry.hmac-passphrase (likely from AppModule), this can be used to craft a Java deserialization atta...

CVE-2019-10071

CVE-2019-10071 is an Apache Tapestry timing-attack vulnerability caused by using String.equals() to compare HMACs in form submissions. This creates a timing side channel that could let an attacker estimate the correct signature for a payload, potentially enabling remote code execution. Affected v...

CVE-2022-31781

CVE-2022-31781 affects Apache Tapestry up to version 5.8.1. It is a Regular Expression Denial of Service (ReDoS) vulnerability in how the ContentType class handles Content Types, where crafted inputs may cause catastrophic backtracking and exponential-time processing. The issue is triggered only ...

CVE-2019-0207

The CVE-2019-0207 issue involves the Tapestry framework’s asset handling, where the asset path chain StaticFilesFilter → AssetDispatcher → ContextResource fails to filter the backslash character on Windows, enabling path traversal to read arbitrary files. Affected component: Tapestry assets proce...

CVE-2021-30638

CVE-2021-30638 is an information-exposure vulnerability in Apache Tapestry caused by an incomplete fix for CVE-2020-13953 in context asset handling. It affects Apache Tapestry versions 5.4.0 through 5.6.3, and 5.7.0 through 5.7.1. An attacker can construct a URL to download files inside WEB-INF, ...

CVE-2020-17531

CVE-2020-17531 affects Apache Tapestry 4. It describes a Java deserialization vulnerability where the server will deserialize the sp parameter before page validation, allowing deserialization without authentication. Tapestry 4 is end-of-life (2008) and no fix will be released; Tapestry 5 is not a...

CVE-2022-46366

CVE-2022-46366 describes a remote code execution in Apache Tapestry 3.x caused by deserialization of untrusted data. The affected component is Apache Tapestry 3.x (Java-based web framework); root cause is deserialization of untrusted input leading to RCE. Public sources in the connected documents...

CVE-2020-13953

This CVE relates to Apache Tapestry where an information disclosure vulnerability allows an attacker to download files in WEB-INF via specially crafted URLs. The issue stems from an incomplete fix for CVE-2020-13953 and affects Apache Tapestry 5.4.0–5.6.3, with related advisories noting impact on...

CVE-2014-1972

Apache Tapestry prior to 5.3.6 is vulnerable due to storing objects on the client side without verifying client modifications, enabling denial of service or arbitrary code execution via crafted serialized data. Affected: Apache Tapestry versions up to 5.3.5 (and 5.3.x prior to 5.3.6). Root cause:...