{"schema_version": "1.6.1", "id": "CVE-2021-27850", "summary": "Bypass of the fix for CVE-2019-0195", "details": "A critical unauthenticated remote code execution vulnerability was found\nall recent versions of Apache Tapestry.\nThe affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0.\n\nThe vulnerability I have found is a bypass of the fix for CVE-2019-0195.\n\nRecap:\n\nBefore the fix of CVE-2019-0195 it was possible to download arbitrary\nclass files from the classpath by providing a crafted\nasset file URL.\nAn attacker was able to download the file `AppModule.class` by\nrequesting the URL\n`http://localhost:8080/assets/something/services/AppModule.class`\nwhich contains a HMAC secret key.\nThe fix for that bug was a blacklist filter that checks if the URL\nends with `.class`, `.properties` or `.xml`.\n\nBypass:\n\nUnfortunately, the blacklist solution can simply be bypassed by\nappending a `/` at the end of the URL:\n\n`http://localhost:8080/assets/something/services/AppModule.class/`\nThe slash is stripped after the blacklist check and the file\n`AppModule.class` is loaded into the response.\nThis class usually contains the HMAC secret key which is used to sign\nserialized Java objects.\nWith the knowledge of that key an attacker can sign a Java gadget\nchain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial).", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "Apache Tapestry 5.5.0"}, {"last_affected": "Apache Tapestry 5.5.0"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache Tapestry 5.7.0"}, {"last_affected": "Apache Tapestry 5.7.0"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache Tapestry 5.4.5"}, {"fixed": "Apache Tapestry 5.4.0*"}]}, {"type": "SEMVER", "events": [{"introduced": "Apache Tapestry 5.6.2"}, {"fixed": "Apache Tapestry 5.6.0*"}]}]}], "references": [{"type": "ADVISORY", "url": "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E"}]}