{"id":"CVE-2021-30638","details":"Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.","aliases":["GHSA-ghm8-mmx7-xvg2"],"modified":"2026-04-12T02:46:34.987276Z","published":"2021-04-27T19:15:07.733Z","references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/04/27/3"},{"type":"ADVISORY","url":"https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210528-0004/"},{"type":"ADVISORY","url":"https://www.zerodayinitiative.com/advisories/ZDI-21-491/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/tapestry-5","events":[{"introduced":"2672e9847ad56d2b3f83c28319b532b92d6af5c9"},{"fixed":"465024dec93adbb5e3b910c76a641366e45c58ce"},{"introduced":"e6f2930cddbd22cae01629be1f615cf2d6fae53b"},{"fixed":"ae95b7d598a1eec133be8feea79f24ba0962d1aa"}],"database_specific":{"cpe":"cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"5.4.0"},{"fixed":"5.6.4"},{"introduced":"5.7.0"},{"fixed":"5.7.2"}],"source":"CPE_FIELD"}}],"versions":["5.4.0","5.4.1","5.5.0","5.5.0-alpha-1","5.5.0-alpha-10","5.5.0-alpha-2","5.5.0-alpha-3","5.5.0-alpha-4","5.5.0-alpha-5","5.5.0-alpha-6","5.5.0-alpha-7","5.5.0-alpha-8","5.5.0-alpha-9","5.5.0-beta-1","5.5.0-beta-2","5.6.0","5.6.1","5.6.2","5.6.3","5.7.0","5.7.1","v5.5.0-beta-3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-30638.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}