What is CVE-2019-0207?

CVE-2019-0207 is a vulnerability in Apache Tapestry. Published 2019-09-16.

Is CVE-2019-0207 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Tapestry

CVE-2019-0207

Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows pla…

EPSS: 0.014 (80.6th percentile) — read the EPSS interpretation.

Affected products

Apache Tapestry — versions Apache Tapestry 5.4.0 to 5.4.4

Public proof-of-concept exploits

References

[tapestry-users] 20190913 CVE-2019-0207: Apache Tapestry vulnerability disclosure (mailing-list, x_refsource_MLIST)
[tapestry-users] 20191007 Re: CVE-2019-10071: Apache Tapestry vulnerability disclosure (mailing-list, x_refsource_MLIST)
[tapestry-commits] 20200111 svn commit: r1055136 [2/2] - in /websites/production/tapestry/content: cache/main.pageCache component-rendering.html content-type-and-markup.html dom.html https.html request-processing.html response-compression.html security.html url-rewriting.html (mailing-list, x_refsource_MLIST)
[tapestry-commits] 20200531 svn commit: r1061326 [4/4] - in /websites/production/tapestry/content: ./ cache/ (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-0207?: CVE-2019-0207 is a vulnerability in Apache Tapestry. Published 2019-09-16.
Is CVE-2019-0207 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.