CVE-2019-0207
Description
Tapestry processes assets /assets/ctx using classes chain StaticFilesFilter -> AssetDispatcher -> ContextResource, which doesn't filter the character \, so attacker can perform a path traversal attack to read any files on Windows platform.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tapestry fails to filter the backslash character in asset URLs, enabling path traversal on Windows to read arbitrary files.
Apache Tapestry processes assets via the /assets/ctx path using a chain of classes (StaticFilesFilter -> AssetDispatcher -> ContextResource). The vulnerability arises because this chain does not filter the backslash character (\), which is accepted as a path separator on the Windows operating system [1].
An unauthenticated attacker can craft a URL containing \ to traverse outside the intended assets directory. For example, a request to /assets/ctx/..\..\windows\win.ini would allow reading files outside the web application root. The attack requires that the Tapestry application is deployed on a Windows platform [1].
Successful exploitation allows an attacker to read arbitrary files on the Windows file system that the application server process can access. This could include sensitive configuration files, source code, or other data, leading to information disclosure [1].
Apache has released patches for Tapestry versions 5.4.5 and 5.5.0. Users are advised to upgrade to these versions or later. For versions that cannot be upgraded, applying input validation to filter backslashes in asset URLs may serve as a workaround [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tapestry:tapestry-coreMaven | >= 5.4.0, < 5.4.5 | 5.4.5 |
Affected products
2- Apache/Apache Tapestryv5Range: Apache Tapestry 5.4.0 to 5.4.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-89r3-rcpj-h7w6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-0207ghsaADVISORY
- lists.apache.org/thread.html/765be3606d865de513f6df9288842c3cf58b09a987c617a535f2b99d%40%3Cusers.tapestry.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/765be3606d865de513f6df9288842c3cf58b09a987c617a535f2b99d@%3Cusers.tapestry.apache.org%3EghsaWEB
- lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c%40%3Cusers.tapestry.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c@%3Cusers.tapestry.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c%40%3Ccommits.tapestry.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c@%3Ccommits.tapestry.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843%40%3Ccommits.tapestry.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843@%3Ccommits.tapestry.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.