Apache Tapestry 漏洞列表

Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.

Apache Tapestry 5.4.5、5.5.0、5.6.2 and 5.7.0。在CVE-2019-0195中，通过操纵classpath资产文件URL，攻击者可以在classpath中猜测文件的路径，然后下载该文件。攻击者可以通过请求包含HMAC秘钥的URL这个类通常包含用于对序列化的Java对象进行签名的HMAC秘钥，在知道该密钥的情况下，攻击者就可以签署Java小工具链（例如ysoserial的CommonsBeanUtils1），最终导致远程代码执行。