GHSA-qw4h-3xjj-84cc

Suggest an improvement
Source
https://github.com/advisories/GHSA-qw4h-3xjj-84cc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-qw4h-3xjj-84cc/GHSA-qw4h-3xjj-84cc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-qw4h-3xjj-84cc
Aliases
Published
2023-12-01T00:31:00Z
Modified
2023-12-12T22:01:07.406168Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apache Tiles: Unvalidated input may lead to path traversal and XXE
Details

The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles.

This issue affects Apache Tiles from version 2 onwards.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Database specific
{
    "nvd_published_at": "2023-11-30T22:15:09Z",
    "cwe_ids": [
        "CWE-22",
        "CWE-776"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-11T21:45:42Z"
}
References

Affected packages

Maven / org.apache.tiles:tiles-core

Package

Name
org.apache.tiles:tiles-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tiles/tiles-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0

Affected versions

2.*

2.0.1
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2

3.*

3.0.0
3.0.1
3.0.3
3.0.4
3.0.5
3.0.7
3.0.8