CVE-2021-30638
CVE-2021-30638 is a high-severity vulnerability in Apache Tapestry with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-863.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 5.0
- EPSS exploit prediction: 7% (93rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-863
- Affected product: Apache Tapestry
- Published:
- Last modified:
Description
Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
Frequently asked questions
- What is CVE-2021-30638?
- Information Exposure vulnerability in context asset handling of Apache Tapestry allows an attacker to download files inside WEB-INF if using a specially-constructed URL. This was caused by an incomplete fix for CVE-2020-13953. This issue affects Apache Tapestry Apache Tapestry 5.4.0 version to Apache Tapestry 5.6.3; Apache Tapestry 5.7.0 version and Apache Tapestry 5.7.1.
- How severe is CVE-2021-30638?
- CVE-2021-30638 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2021-30638 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 7% (93rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-30638?
- CVE-2021-30638 affects Apache Tapestry. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-30638?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-30638 published?
- CVE-2021-30638 was published on 2021-04-27 and last updated on 2026-06-17.
References
- http://www.openwall.com/lists/oss-security/2021/04/27/3
- https://lists.apache.org/thread.html/r37dab61fc7f7088d4311e7f995ef4117d58d86a675f0256caa6991eb%40%3Cusers.tapestry.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210528-0004/
- https://www.zerodayinitiative.com/advisories/ZDI-21-491/
Affected products (1)
- cpe:2.3:a:apache:tapestry:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Tapestry
- CVE-2022-46366 — Critical (CVSS 9.8): Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar…
- CVE-2021-27850 — Critical (CVSS 9.8): A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The…
- CVE-2020-17531 — Critical (CVSS 9.8): A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the…
- CVE-2019-10071 — Critical (CVSS 9.8): The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side…
- CVE-2019-0195 — Critical (CVSS 9.8): Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it…
- CVE-2014-1972 — High (CVSS 7.8): Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an…
All CVEs affecting Apache Tapestry →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →