7.5
CVE-2021-30638
- EPSS 5.31%
- Veröffentlicht 27.04.2021 19:15:07
- Zuletzt bearbeitet 21.11.2024 06:04:20
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
LoginAn Information Disclosure due to insufficient input validation exists in Apache Tapestry 5.4.0 and later
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 5.31% | 0.896 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-863 Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.