Apache Tapestry Unauthenticated RCE (CVE-2019-0195, CVE-2021-27850)
Description
The web application is running Apache Tapestry, which contains a critical vulnerability (CVE-2021-27850) that allows unauthenticated attackers to download arbitrary class files from the application's classpath by manipulating asset file URLs. Attackers can exploit this information disclosure to obtain sensitive class files, analyze application internals, and potentially achieve remote code execution on the server.
Remediation
Immediately upgrade Apache Tapestry to a patched version to remediate this vulnerability:
1. If running Tapestry 5.4.x through 5.6.1, upgrade to version 5.6.2 or later
2. If running Tapestry 5.7.0-alpha or beta releases, upgrade to version 5.7.0 (stable release) or later
3. After upgrading, verify the fix by testing that asset URLs cannot be manipulated to access arbitrary class files
4. Review application logs for any suspicious asset download attempts that may indicate prior exploitation
Note: Versions 5.4.5 through 5.6.1 are all vulnerable. Only versions 5.6.2 and 5.7.0 (or higher) contain the security fix for CVE-2021-27850.