CVE-2021-30638 — Information Exposure in Apache Tapestry

Description

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

How to fix CVE-2021-30638

To remediate CVE-2021-30638, upgrade the affected package to a fixed version below.

—upgrade to 5.6.4 or later

Is CVE-2021-30638 being exploited?

Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 5.4.0, < 5.6.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-30638
WEBlists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
WEBsecurity.netapp.com/advisory/ntap-20210528-0004
WEBwww.zerodayinitiative.com/advisories/ZDI-21-491