Vulnerability in Apache Tapestry
CVE-2019-10071
The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to deter…
EPSS: 0.098 (93.1th percentile) — read the EPSS interpretation.
Affected products
- Apache Tapestry — versions Apache Tapestry 5.4.0 to 5.4.3
References
- [tapestry-users] 20190913 CVE-2019-10071: Apache Tapestry vulnerability disclosure (mailing-list, x_refsource_MLIST)
- [tapestry-users] 20191007 Re: CVE-2019-10071: Apache Tapestry vulnerability disclosure (mailing-list, x_refsource_MLIST)
- [tapestry-users] 20191014 Re: CVE-2019-10071: Apache Tapestry vulnerability disclosure (mailing-list, x_refsource_MLIST)
- [tapestry-commits] 20200111 svn commit: r1055136 [2/2] - in /websites/production/tapestry/content: cache/main.pageCache component-rendering.html content-type-and-markup.html dom.html https.html request-processing.html response-compression.html security.html url-rewriting.html (mailing-list, x_refsource_MLIST)
- [tapestry-commits] 20200531 svn commit: r1061326 [4/4] - in /websites/production/tapestry/content: ./ cache/ (mailing-list, x_refsource_MLIST)