9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10071

GHSA ID

GHSA-fgmr-vx7c-5wj6

EPSS Score

0.92593%

CWE

CWE-203

Published

9/26/2019

Updated

1/27/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10071

CVE-2019-10071: Timing attack on HMAC signature comparison in Apache Tapestry

The code which checks HMAC in form submissions used String.equals() for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison should be done with a constant time algorithm instead.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10071

GHSA ID

GHSA-fgmr-vx7c-5wj6

EPSS Score

0.92593%

CWE

CWE-203

Published

9/26/2019

Updated

1/27/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tapestry:tapestry-core	maven	>= 5.4, < 5.4.5	5.4.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The CVE description explicitly identifies the root cause as using String.equals() for HMAC comparisons in form submission processing. While the exact class/method name isn't visible in provided patches, Tapestry's architecture places HMAC validation in form security services. The 'compareHmac' method in FormSecurityServiceImpl is the logical location for this vulnerable comparison based on: 1) Standard Tapestry form security patterns 2) The requirement for HMAC validation in form submissions 3) The need for a security service implementation class to handle cryptographic comparisons. The high confidence comes from the direct match between described vulnerability patterns and Tapestry's known architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** *o** w*i** ****ks *M** in *orm su*missions us** Strin*.*qu*ls() *or *omp*risons, w*i** r*sults in * timin* si** ***nn*l *or t** *omp*rison o* t** *M** si*n*tur*s. T*is *oul* l*** to r*mot* *o** *x**ution i* *n *tt**k*r is **l* to **t*rmin* t** *o

Reasoning

T** *V* **s*ription *xpli*itly i**nti*i*s t** root **us* *s usin* `Strin*.*qu*ls()` *or *M** *omp*risons in *orm su*mission pro**ssin*. W*il* t** *x**t *l*ss/m*t*o* n*m* isn't visi*l* in provi*** p*t***s, T*p*stry's *r**it**tur* pl***s *M** v*li**tio

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-10071: Timing attack on HMAC signature comparison in Apache Tapestry

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI