{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-06T00:40:22.719","vulnerabilities":[{"cve":{"id":"CVE-2022-31781","sourceIdentifier":"security@apache.org","published":"2022-07-13T08:15:07.213","lastModified":"2024-11-21T07:05:18.387","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete. Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class. Apache Tapestry 5.8.2 has a fix for this vulnerability. Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor."},{"lang":"es","value":"Apache Tapestry versiones hasta 5.8.1 es vulnerable a una Denegación de Servicio por Expresión Regular (ReDoS) en la forma en que maneja los Tipos de Contenido. Los Tipos de Contenido especialmente diseñados pueden causar un retroceso catastrófico, tardando un tiempo exponencial en completarse. En concreto, esto es acerca de la expresión regular usada en el parámetro de la clase org.apache.tapestry5.http.ContentType. Apache Tapestry versión 5.8.2 presenta una corrección para esta vulnerabilidad. Obsérvese que la vulnerabilidad no puede ser desencadenada sólo por peticiones web en el código de Tapestry. Sólo ocurriría si se presenta algún codepath no Tapestry pasando alguna entrada externa al constructor de la clase ContentType"}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-1333"}]},{"source":"nvd@nist.gov","type":"Secondary","description":[{"lang":"en","value":"CWE-1333"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*","versionEndExcluding":"5.8.2","matchCriteriaId":"74B1B9B9-B0DD-42B4-86BE-587593E365E3"}]}]}],"references":[{"url":"https://www.openwall.com/lists/oss-security/2022/07/12/3","source":"security@apache.org","tags":["Mailing List","Vendor Advisory"]},{"url":"https://www.openwall.com/lists/oss-security/2022/07/12/3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List","Vendor Advisory"]}]}}]}