CVE-2020-13953
Description
In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Crafting specific URLs allows an attacker to download files inside the WEB-INF folder of an Apache Tapestry WAR from version 5.4.0 to 5.5.0.
Vulnerability
Overview
In Apache Tapestry versions 5.4.0 through 5.5.0, a path traversal vulnerability exists that allows an attacker to download files located within the WEB-INF folder of the deployed WAR application. This folder typically contains sensitive configuration files, classes, and JARs that should not be accessible from the web [1].
Exploitation
The vulnerability is triggered by crafting specific URLs that bypass access controls and allow the retrieval of files within the WEB-INF directory. The attacker does not require authentication to exploit this, as the vulnerable code processes the crafted URL without proper validation, exposing internal application resources [1].
Impact
Successful exploitation enables an attacker to read configuration files, source code, and other sensitive data stored in the WEB-INF folder. This can lead to further compromise by exposing application secrets, database credentials, or revealing code patterns that could be used for other attacks [1].
Mitigation
Users should upgrade to Apache Tapestry version 5.5.1 or later, which contains a fix for this vulnerability. No workarounds have been published by the vendor [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tapestry:tapestry-coreMaven | >= 5.4.0, < 5.6.0 | 5.6.0 |
Affected products
2- Apache/Tapestrydescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-w9mp-p2wp-2xf7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13953ghsaADVISORY
- lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb@%3Cusers.tapestry.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r50eb12e8a12074a9b7ed63cbab91d180d19cc23dc1da3ed5b6e1280f%40%3Cusers.tapestry.apache.org%3Eghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.