Vulnerability Directory | CVE-2020-17531 | Apache Tapestry

Overview

Apache Tapestry is an open-source framework for building web applications in Java.

A remote code execution vulnerability (CVE-2020-17531) has been identified in Apache Tapestry, caused by an unsafe use of Java's built-in serialization mechanism. This flaw allows attackers to execute arbitrary Java code on an application that processes untrusted data passed in the sp parameter of a request to the application.

Per OWASP: Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation.

‍

Details

Module Info

Product: Apache Tapestry
Affected packages: tapestry-framework
Affected versions: >=4.0.0, <=4.1.6
GitHub repository: https://github.com/apache/tapestry4
Published packages: https://repo1.maven.org/maven2/org/apache/tapestry/tapestry-framework
Package manager: maven
Fixed in: NES for Apache Tapestry v4.1.7

‍

Vulnerability Info

This Critical severity vulnerability affects Apache Tapestry versions 4.0.0 through 4.1.6. Apache Tapestry 5.x versions are not affected.

Requests sent to a Tapestry application can contain an sp request parameter. The values provided by this parameter are specially-crafted strings that are converted to other data types by a DataSqueezer component in the framework. If the DataSqueezer determines that the value of the sp request parameter is a base-64 encoded string that represents a Java object, it will deserialize the string using ObjectInputStream.readObject() with no class filtering. This can lead to untrusted code being executed by the application.

‍