CVE-2023-49735

Apache Tiles: Unvalidated input may lead to path traversal and XXE

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

< 1%

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

El valor establecido como atributo DefaultLocaleResolver.LOCALE_KEY en la sesión no se validó al resolver archivos de definición XML, lo que provocó un posible path traversal y, finalmente, SSRF/XXE al pasar datos controlados por el usuario a esta clave. Pasar datos controlados por el usuario a esta clave puede ser relativamente común, ya que también se usó así para configurar el idioma en la aplicación 'tiles-test' incluida con Tiles. Este problema afecta a Apache Tiles desde la versión 2 en adelante. NOTA: Esta vulnerabilidad solo afecta a productos que ya no son compatibles con el mantenedor.

** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. This issue affects Apache Tiles from version 2 onwards. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

*Credits: Joseph Beeton of Contrast Security

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-11-30 CVE Reserved
2023-11-30 CVE Published
2024-11-20 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/8ktm4vxr6vvc1qsxh6ft8jzmom...	2024-05-17

1 - 1 of 1

Affected Vendors, Products, and Versions (1)

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tiles Search vendor "Apache" for product "Tiles"				>= 2.0 Search vendor "Apache" for product "Tiles" and version " >= 2.0"		-		Affected

1 - 1 of 1

* End Of Life in some or all products. Do not expect updates.