ByteOS Network

NVD Vulnerability Details :

CVE-2019-10071

Modified

Source-security@apache.org

Published At-16 Sep, 2019 | 18:15

Updated At-07 Nov, 2023 | 03:02

The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary	2.0	6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P

CPE Matches

The Apache Software Foundation

>>tapestry>>Versions from 5.4.0(inclusive) to 5.4.3(inclusive)

cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-203	Primary	nvd@nist.gov

References

Hyperlink	Source	Resource
https://lists.apache.org/thread.html/6e8f42c88da7be3c60aafe3f6a85eb00b4f8b444de26b38d36233a43%40%3Cusers.tapestry.apache.org%3E	security@apache.org	N/A
https://lists.apache.org/thread.html/7a437dad5af7309aba4d01bfc2463b3ac34e6aafaa565381d3a36460%40%3Cusers.tapestry.apache.org%3E	security@apache.org	N/A
https://lists.apache.org/thread.html/bac8d6f9e1b4059b319d9cba6f33219a99b81623476ec896138f851c%40%3Cusers.tapestry.apache.org%3E	security@apache.org	N/A
https://lists.apache.org/thread.html/r7d9c54beb1dc97dcccc58d9b5d31f0f7166f9a25ad1beba5f8091e0c%40%3Ccommits.tapestry.apache.org%3E	security@apache.org	N/A
https://lists.apache.org/thread.html/r87523dd07886223aa086edc25fe9b8ddb9c1090f7db25b068dc30843%40%3Ccommits.tapestry.apache.org%3E	security@apache.org	N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History