CVE-2020-13953

moderate-risk
Published 2020-09-30

In Apache Tapestry from 5.4.0 to 5.5.0, crafting specific URLs, an attacker can download files inside the WEB-INF folder of the WAR being run.

Do I need to act?

~
1.8% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Apache

References (4)

https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675...
Mailing List https://lists.apache.org/thread.html/r50eb12e8a12074a9b7ed63cbab91d180d19cc23dc1...
https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675...
Mailing List https://lists.apache.org/thread.html/r50eb12e8a12074a9b7ed63cbab91d180d19cc23dc1...
31
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 5/34 · Minimal
Exposure 5/34 · Minimal