Cyber Resilience

CVE-2021-30638

High

Published: 27 April 2021

Published
27 April 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0531 90.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-30638 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Apache Tapestry. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0…

more

version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tapestry
5.4.0 — 5.6.4 · 5.7.0 — 5.7.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-863 CWE-200

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

addresses: CWE-863 CWE-200

Ensures authorization decisions for external system use are correctly implemented and enforced.

addresses: CWE-863 CWE-200

It assists users in evaluating and applying correct authorization decisions when sharing information with external partners.

addresses: CWE-200 CWE-863

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

addresses: CWE-863 CWE-200

Drives review and correction of flawed authorization logic applied to organizational data.

addresses: CWE-200 CWE-863

Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.

addresses: CWE-863 CWE-200

Restricts processing strictly to documented authorized uses, mitigating incorrect authorization decisions for sensitive data.

addresses: CWE-863 CWE-200

Addresses incorrect authorization by requiring independent verification of results and an opportunity to contest before any adverse action is taken.

References