{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T16:41:35.582","vulnerabilities":[{"cve":{"id":"CVE-2019-0195","sourceIdentifier":"security@apache.org","published":"2019-09-16T16:15:10.007","lastModified":"2024-11-21T04:16:27.610","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component."},{"lang":"es","value":"Manipulando las URL de los archivos asset del classpath, un atacante podría adivinar la ruta (path) hacia un archivo conocido en el classpath y descargarlo. Si el atacante encontró el archivo con el valor del símbolo de configuración de tapestry.hmac-passphrase, más probablemente la clase AppModule de la aplicación web, el valor de este símbolo podría ser usado para diseñar un ataque de deserialización de Java, ejecutando así un código Java inyectado malicioso. El vector sería el parámetro t:formdata del componente Form."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","baseScore":7.5,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL"},"baseSeverity":"HIGH","exploitabilityScore":10.0,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.0","versionEndIncluding":"5.4.3","matchCriteriaId":"5AB47FEF-7534-4DC0-898C-6989B54F194C"}]}]}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2021/04/15/1","source":"security@apache.org","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.apache.org/thread.html/5173c4eed06e2fca6fd5576ed723ff6bb1711738ec515cb51a04ab24%40%3Cusers.tapestry.apache.org%3E","source":"security@apache.org"},{"url":"https://lists.apache.org/thread.html/6c40c1e03d2131119f9b77882431a0050f02bf9cae9ee48b84d012df%40%3Cusers.tapestry.apache.org%3E","source":"security@apache.org"},{"url":"https://lists.apache.org/thread.html/a4092cb3bacb143571024e79c0016c039b6c982423daa33a7a5c794a%40%3Cusers.tapestry.apache.org%3E","source":"security@apache.org"},{"url":"https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E","source":"security@apache.org"},{"url":"https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c%40%3Ccommits.tapestry.apache.org%3E","source":"security@apache.org"},{"url":"https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843%40%3Ccommits.tapestry.apache.org%3E","source":"security@apache.org"},{"url":"http://www.openwall.com/lists/oss-security/2021/04/15/1","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Third Party Advisory"]},{"url":"https://lists.apache.org/thread.html/5173c4eed06e2fca6fd5576ed723ff6bb1711738ec515cb51a04ab24%40%3Cusers.tapestry.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.apache.org/thread.html/6c40c1e03d2131119f9b77882431a0050f02bf9cae9ee48b84d012df%40%3Cusers.tapestry.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.apache.org/thread.html/a4092cb3bacb143571024e79c0016c039b6c982423daa33a7a5c794a%40%3Cusers.tapestry.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c%40%3Ccommits.tapestry.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"},{"url":"https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843%40%3Ccommits.tapestry.apache.org%3E","source":"af854a3a-2127-422b-91ae-364da2661108"}]}}]}