Description: Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
Solution: For Tapestry 5.4.0 to 5.6.3: upgrade to 5.6.4 For Tapestry 5.7.0 and 5.7.1: upgrade to 5.7.2 ************ Problem Description ************ An Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.6.1 and later (latest) A recent patch for CVE-2020-13953 ( https://github.com/apache/tapestry-5/commit/cf1912291af9146ee86a4aef471ae2ab31d3a28b ) fails to account for the backslash character in the filtering regex An attacker is therefore able to list and download web app files from the WEB-INF and META-INF directory using a crafted payload. Credit: This vulnerability was discovered by Kc Udonsi of Trend Micro -- Thiago