CVE-2019-10071

Name of the Vulnerable Software and Affected Versions Apache Tapestry (affected versions not specified)

Description The issue arises from the use of String.equals() for comparing HMAC signatures in form submissions, which introduces a timing side channel. This could potentially lead to remote code execution if an attacker determines the correct signature for their payload. A constant time algorithm should be used for comparisons instead. The vulnerability exists due to insufficient input validation in the String.equals() function of the Apache Tapestry web application platform, allowing a remote attacker to execute arbitrary code.

Recommendations As a temporary workaround, consider using a constant time algorithm for HMAC signature comparisons until a patch is available. Restrict access to sensitive functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.