CVE-2020-17531

Name of the Vulnerable Software and Affected Versions Apache Tapestry version 4

Description A Java Serialization vulnerability was found in Apache Tapestry 4, where it attempts to deserialize the sp parameter before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue.

Recommendations For Apache Tapestry version 4, upgrade to the latest Apache Tapestry 5 version. As a temporary workaround, consider restricting access to the vulnerable parameter sp to minimize the risk of exploitation.