CVE-2019-0195

Vulnerability

Description

The vulnerability resides in Apache Tapestry's asset handling mechanism. By manipulating classpath asset file URLs, an attacker can traverse directories and guess the path to a known file within the classpath, such as AppModule.class. This file contains the value of the tapestry.hmac-passphrase configuration symbol, which is used for HMAC-based form integrity checks [1].

Exploitation

Conditions

No authentication is required. The attacker only needs to send crafted requests to the target application. For instance, requesting a URL like /assets/something/services/AppModule.class could retrieve the compiled class file that contains the HMAC secret key. The original fix for this issue was a blacklist filter that blocked requests ending with .class, .properties, or .xml, but this was later bypassed in CVE-2021-27850 by using alternative extensions or encoding techniques [2].

Impact

If the attacker successfully retrieves the tapestry.hmac-passphrase value, they can forge the t:formdata parameter used by the Form component. This allows crafting a malicious serialized Java object that, when deserialized by the server, leads to arbitrary Java code execution. The overall impact ranges from sensitive data exposure to a full compromise of the affected system [1].

Mitigation

Upgrading to a patched version is the recommended remediation. The vulnerability was addressed in Apache Tapestry 5.4.5, 5.5.0, 5.6.2, and 5.7.0 (with further fixes for the bypass). Organizations still using older versions should apply security updates immediately to prevent unauthenticated RCE attacks [1][2].