DEBIAN-CVE-2023-49735

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/DEBIAN-CVE-2023-49735

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2023-49735.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2023-49735

Upstream

CVE-2023-49735

Published

2023-11-30T22:15:09Z

Modified

2025-09-18T05:18:34Z

Summary

[none]

Details

* UNSUPPORTED WHEN ASSIGNED * The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

References

https://security-tracker.debian.org/tracker/CVE-2023-49735

Affected packages

Debian:11 / tiles

Package

Name: tiles
Purl: pkg:deb/debian/tiles?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / tiles

Package

Name: tiles
Purl: pkg:deb/debian/tiles?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / tiles

Package

Name: tiles
Purl: pkg:deb/debian/tiles?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:14 / tiles

Package

Name: tiles
Purl: pkg:deb/debian/tiles?arch=source

Affected ranges

Ecosystem specific

{
    "urgency": "unimportant"
}