This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Critical Unauthenticated Remote Code Execution (RCE). π₯ **Consequences**: Attackers download `AppModule.class` to leak the HMAC Secret Key.β¦
π‘οΈ **CWE**: CWE-200 (Information Exposure). π **Flaw**: The framework exposes the HMAC signing key via a specific URL path (`/assets/.../AppModule.class`). This bypasses the previous fix for CVE-2019-0195.β¦
π **Threshold**: VERY LOW. π **Auth**: None required (Unauthenticated). βοΈ **Config**: Exploitable via standard HTTP requests. π― **Ease**: Simple URL manipulation to extract the key, then use PoC tools for RCE.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π₯ **Public Exp?**: YES. π **PoCs Available**: Multiple GitHub repositories (e.g., `kahla-sec`, `dorkerdevil`, `Ovi3`). π **Wild Exploitation**: High risk. Tools like Nuclei templates exist for automated scanning.β¦
π‘οΈ **Official Fix**: YES. π₯ **Patch**: Upgrade Apache Tapestry to version **5.7.1** or later. π **Note**: This CVE is a bypass of the earlier CVE-2019-0195 fix. Ensure the latest version is applied.
Q9What if no patch? (Workaround)
π§ **No Patch Workaround**: 1. **Block Access**: Restrict access to `/assets/` paths containing `AppModule.class` via WAF or Nginx config. 2. **Network Segmentation**: Limit exposure of Tapestry servers. 3.β¦
π΄ **Priority**: CRITICAL / URGENT. β±οΈ **Timeline**: Published April 2021, but PoCs are mature and public. π **Action**: Immediate patching to v5.7.1+ is mandatory.β¦