CVE-2023-49735

2023-11-3000:00:00

ubuntu.com

defaultlocaleresolver

xml definition

path traversal

ssrf

xxe

user-controlled data

apache tiles

maintainer

unsupported products

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

23.1%

JSON

UNSUPPORTED WHEN ASSIGNED The value set as the
DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated
while resolving XML definition files, leading to possible path traversal
and eventually SSRF/XXE when passing user-controlled data to this key.
Passing user-controlled data to this key may be relatively common, as it
was also used like that to set the language in the ‘tiles-test’ application
shipped with Tiles. This issue affects Apache Tiles from version 2 onwards.
NOTE: This vulnerability only affects products that are no longer supported
by the maintainer.

Notes

Author	Note
sbeattie	tiles is dead upsteam, as of 2018/12

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchtiles< anyUNKNOWN
ubuntu20.04noarchtiles< anyUNKNOWN
ubuntu22.04noarchtiles< anyUNKNOWN
ubuntu23.10noarchtiles< anyUNKNOWN
ubuntu24.04noarchtiles< anyUNKNOWN
ubuntu16.04noarchtiles< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	tiles	< any	UNKNOWN
ubuntu	20.04	noarch	tiles	< any	UNKNOWN
ubuntu	22.04	noarch	tiles	< any	UNKNOWN
ubuntu	23.10	noarch	tiles	< any	UNKNOWN
ubuntu	24.04	noarch	tiles	< any	UNKNOWN
ubuntu	16.04	noarch	tiles	< any	UNKNOWN